@atproto/oauth-provider 0.18.4 → 0.19.0
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- package/CHANGELOG.md +16 -0
- package/dist/account/account-manager.d.ts +11 -7
- package/dist/account/account-manager.d.ts.map +1 -1
- package/dist/account/account-manager.js +82 -19
- package/dist/account/account-manager.js.map +1 -1
- package/dist/account/account-store.d.ts +47 -13
- package/dist/account/account-store.d.ts.map +1 -1
- package/dist/account/account-store.js +4 -1
- package/dist/account/account-store.js.map +1 -1
- package/dist/account/sign-up-input.d.ts +2 -2
- package/dist/errors/invalid-credentials-error.d.ts +9 -9
- package/dist/errors/invalid-credentials-error.d.ts.map +1 -1
- package/dist/errors/invalid-credentials-error.js +8 -8
- package/dist/errors/invalid-credentials-error.js.map +1 -1
- package/dist/lib/util/function.js +1 -1
- package/dist/lib/util/function.js.map +1 -1
- package/dist/oauth-hooks.d.ts +77 -4
- package/dist/oauth-hooks.d.ts.map +1 -1
- package/dist/oauth-hooks.js.map +1 -1
- package/dist/oauth-provider.d.ts.map +1 -1
- package/dist/oauth-provider.js +15 -9
- package/dist/oauth-provider.js.map +1 -1
- package/dist/request/request-data.d.ts +4 -4
- package/dist/request/request-data.d.ts.map +1 -1
- package/dist/request/request-data.js +1 -1
- package/dist/request/request-data.js.map +1 -1
- package/dist/request/request-manager.d.ts.map +1 -1
- package/dist/request/request-manager.js +7 -4
- package/dist/request/request-manager.js.map +1 -1
- package/dist/request/request-store.d.ts +1 -1
- package/dist/request/request-store.js.map +1 -1
- package/dist/result/authorization-result-authorize-page.d.ts +1 -1
- package/dist/result/authorization-result-authorize-page.js.map +1 -1
- package/dist/router/assets/send-authorization-page.js +1 -1
- package/dist/router/assets/send-authorization-page.js.map +1 -1
- package/dist/router/create-api-middleware.d.ts.map +1 -1
- package/dist/router/create-api-middleware.js +87 -51
- package/dist/router/create-api-middleware.js.map +1 -1
- package/dist/signer/access-token-payload.d.ts +15 -15
- package/dist/signer/access-token-payload.js +2 -2
- package/dist/signer/access-token-payload.js.map +1 -1
- package/dist/signer/api-token-payload.d.ts +15 -15
- package/dist/signer/api-token-payload.js +2 -2
- package/dist/signer/api-token-payload.js.map +1 -1
- package/dist/signer/signer.d.ts +6 -187
- package/dist/signer/signer.d.ts.map +1 -1
- package/dist/signer/signer.js.map +1 -1
- package/dist/token/token-claims.d.ts +2 -1
- package/dist/token/token-claims.d.ts.map +1 -1
- package/dist/token/token-claims.js.map +1 -1
- package/dist/token/token-data.d.ts +3 -3
- package/dist/token/token-data.d.ts.map +1 -1
- package/dist/token/token-data.js.map +1 -1
- package/dist/token/token-manager.d.ts +3 -3
- package/dist/token/token-manager.d.ts.map +1 -1
- package/dist/token/token-manager.js +14 -14
- package/dist/token/token-manager.js.map +1 -1
- package/dist/token/token-store.d.ts +3 -3
- package/dist/token/token-store.d.ts.map +1 -1
- package/dist/token/token-store.js.map +1 -1
- package/dist/types/handle.d.ts +5 -1
- package/dist/types/handle.d.ts.map +1 -1
- package/dist/types/handle.js +9 -8
- package/dist/types/handle.js.map +1 -1
- package/package.json +10 -10
- package/src/account/account-manager.ts +123 -20
- package/src/account/account-store.ts +59 -11
- package/src/errors/invalid-credentials-error.ts +8 -8
- package/src/lib/util/function.ts +2 -2
- package/src/oauth-hooks.ts +85 -3
- package/src/oauth-provider.ts +17 -9
- package/src/request/request-data.ts +5 -5
- package/src/request/request-manager.ts +11 -4
- package/src/request/request-store.ts +1 -1
- package/src/result/authorization-result-authorize-page.ts +1 -1
- package/src/router/assets/send-authorization-page.ts +1 -1
- package/src/router/create-api-middleware.ts +128 -67
- package/src/signer/access-token-payload.ts +2 -2
- package/src/signer/api-token-payload.ts +2 -2
- package/src/signer/signer.ts +13 -4
- package/src/token/token-claims.ts +2 -1
- package/src/token/token-data.ts +3 -3
- package/src/token/token-manager.ts +15 -15
- package/src/token/token-store.ts +3 -3
- package/src/types/handle.ts +21 -16
- package/tsconfig.build.tsbuildinfo +1 -1
- package/dist/oidc/sub.d.ts +0 -4
- package/dist/oidc/sub.d.ts.map +0 -1
- package/dist/oidc/sub.js +0 -3
- package/dist/oidc/sub.js.map +0 -1
- package/src/oidc/sub.ts +0 -4
package/CHANGELOG.md
CHANGED
|
@@ -1,5 +1,21 @@
|
|
|
1
1
|
# @atproto/oauth-provider
|
|
2
2
|
|
|
3
|
+
## 0.19.0
|
|
4
|
+
|
|
5
|
+
### Minor Changes
|
|
6
|
+
|
|
7
|
+
- [#5053](https://github.com/bluesky-social/atproto/pull/5053) [`9acd39b`](https://github.com/bluesky-social/atproto/commit/9acd39b22ead6c0c56428297de425bd2b9a3c61f) Thanks [@matthieusieben](https://github.com/matthieusieben)! - Update `Account` properties to contain strongly typed `did`
|
|
8
|
+
|
|
9
|
+
- [#5053](https://github.com/bluesky-social/atproto/pull/5053) [`9acd39b`](https://github.com/bluesky-social/atproto/commit/9acd39b22ead6c0c56428297de425bd2b9a3c61f) Thanks [@matthieusieben](https://github.com/matthieusieben)! - Add ability to deactivate and delete account from the account manager interface
|
|
10
|
+
|
|
11
|
+
### Patch Changes
|
|
12
|
+
|
|
13
|
+
- [#5053](https://github.com/bluesky-social/atproto/pull/5053) [`9acd39b`](https://github.com/bluesky-social/atproto/commit/9acd39b22ead6c0c56428297de425bd2b9a3c61f) Thanks [@matthieusieben](https://github.com/matthieusieben)! - Remove unused `consentRequired` logic from OAuth consent flow UI
|
|
14
|
+
|
|
15
|
+
- Updated dependencies [[`9acd39b`](https://github.com/bluesky-social/atproto/commit/9acd39b22ead6c0c56428297de425bd2b9a3c61f), [`6fcf9b2`](https://github.com/bluesky-social/atproto/commit/6fcf9b20d8ed4b30d63f97b9311e81c25f12b684), [`61c0066`](https://github.com/bluesky-social/atproto/commit/61c006651b874558c1b24110b01806067b93b49a), [`9acd39b`](https://github.com/bluesky-social/atproto/commit/9acd39b22ead6c0c56428297de425bd2b9a3c61f), [`9acd39b`](https://github.com/bluesky-social/atproto/commit/9acd39b22ead6c0c56428297de425bd2b9a3c61f), [`9acd39b`](https://github.com/bluesky-social/atproto/commit/9acd39b22ead6c0c56428297de425bd2b9a3c61f), [`9acd39b`](https://github.com/bluesky-social/atproto/commit/9acd39b22ead6c0c56428297de425bd2b9a3c61f), [`dd77cdd`](https://github.com/bluesky-social/atproto/commit/dd77cdd4d728c6d9fa0429629cb66266ec88ca96), [`22b0c43`](https://github.com/bluesky-social/atproto/commit/22b0c43401d8c6b8e622e1737333671e8847674f), [`9acd39b`](https://github.com/bluesky-social/atproto/commit/9acd39b22ead6c0c56428297de425bd2b9a3c61f), [`55172ab`](https://github.com/bluesky-social/atproto/commit/55172aba771b54d5eed73e5b314bf7c3a2f7364a)]:
|
|
16
|
+
- @atproto/oauth-provider-api@0.7.0
|
|
17
|
+
- @atproto/oauth-provider-ui@0.8.0
|
|
18
|
+
|
|
3
19
|
## 0.18.4
|
|
4
20
|
|
|
5
21
|
### Patch Changes
|
|
@@ -1,3 +1,4 @@
|
|
|
1
|
+
import { Did } from '@atproto/did';
|
|
1
2
|
import { OAuthIssuerIdentifier } from '@atproto/oauth-types';
|
|
2
3
|
import { ClientId } from '../client/client-id.js';
|
|
3
4
|
import { Client } from '../client/client.js';
|
|
@@ -5,8 +6,7 @@ import { DeviceId } from '../device/device-id.js';
|
|
|
5
6
|
import { HCaptchaClient, HcaptchaVerifyResult } from '../lib/hcaptcha.js';
|
|
6
7
|
import { OAuthHooks, RequestMetadata } from '../oauth-hooks.js';
|
|
7
8
|
import { Customization } from '../oauth-provider.js';
|
|
8
|
-
import {
|
|
9
|
-
import { Account, AccountStore, AuthorizedClientData, DeviceAccount, ResetPasswordConfirmInput, ResetPasswordRequestInput, SignUpData, UpdateEmailConfirmInput, UpdateEmailRequestInput, UpdateHandleData, VerifyEmailConfirmInput, VerifyEmailRequestInput } from './account-store.js';
|
|
9
|
+
import { Account, AccountStore, AuthorizedClientData, DeleteAccountConfirmInput, DeleteAccountRequestInput, DeviceAccount, ResetPasswordConfirmInput, ResetPasswordRequestInput, SignUpData, UpdateEmailConfirmInput, UpdateEmailRequestInput, UpdateHandleData, VerifyEmailConfirmInput, VerifyEmailRequestInput } from './account-store.js';
|
|
10
10
|
import { SignInData } from './sign-in-data.js';
|
|
11
11
|
import { SignUpInput } from './sign-up-input.js';
|
|
12
12
|
export declare class AccountManager {
|
|
@@ -20,16 +20,16 @@ export declare class AccountManager {
|
|
|
20
20
|
protected buildSignupData(input: SignUpInput, deviceId: DeviceId, deviceMetadata: RequestMetadata): Promise<SignUpData>;
|
|
21
21
|
createAccount(deviceId: DeviceId, deviceMetadata: RequestMetadata, input: SignUpInput): Promise<Account>;
|
|
22
22
|
authenticateAccount(deviceId: DeviceId, deviceMetadata: RequestMetadata, data: SignInData, clientId?: ClientId): Promise<Account>;
|
|
23
|
-
upsertDeviceAccount(deviceId: DeviceId,
|
|
24
|
-
getDeviceAccount(deviceId: DeviceId,
|
|
23
|
+
upsertDeviceAccount(deviceId: DeviceId, did: Did): Promise<void>;
|
|
24
|
+
getDeviceAccount(deviceId: DeviceId, did: Did): Promise<DeviceAccount>;
|
|
25
25
|
setAuthorizedClient(account: Account, client: Client, data: AuthorizedClientData): Promise<void>;
|
|
26
|
-
getAccount(
|
|
26
|
+
getAccount(did: Did): Promise<{
|
|
27
27
|
account: Account;
|
|
28
28
|
authorizedClients: import("./account-store.js").AuthorizedClients;
|
|
29
29
|
}>;
|
|
30
|
-
removeDeviceAccount(deviceId: DeviceId,
|
|
30
|
+
removeDeviceAccount(deviceId: DeviceId, did: Did): Promise<void>;
|
|
31
31
|
listDeviceAccounts(deviceId: DeviceId): Promise<DeviceAccount[]>;
|
|
32
|
-
listAccountDevices(
|
|
32
|
+
listAccountDevices(did: Did): Promise<DeviceAccount[]>;
|
|
33
33
|
resetPasswordRequest(deviceId: DeviceId, deviceMetadata: RequestMetadata, input: ResetPasswordRequestInput): Promise<void>;
|
|
34
34
|
resetPasswordConfirm(deviceId: DeviceId, deviceMetadata: RequestMetadata, input: ResetPasswordConfirmInput): Promise<Account>;
|
|
35
35
|
verifyHandleAvailability(handle: string): Promise<void>;
|
|
@@ -40,5 +40,9 @@ export declare class AccountManager {
|
|
|
40
40
|
verifyEmailRequest(deviceId: DeviceId, deviceMetadata: RequestMetadata, input: VerifyEmailRequestInput, account: Account): Promise<void>;
|
|
41
41
|
verifyEmailConfirm(deviceId: DeviceId, deviceMetadata: RequestMetadata, input: VerifyEmailConfirmInput, account: Account): Promise<Account>;
|
|
42
42
|
updateHandle(deviceId: DeviceId, deviceMetadata: RequestMetadata, input: UpdateHandleData, account: Account): Promise<Account>;
|
|
43
|
+
deactivateAccount(deviceId: DeviceId, deviceMetadata: RequestMetadata, account: Account): Promise<Account>;
|
|
44
|
+
reactivateAccount(deviceId: DeviceId, deviceMetadata: RequestMetadata, account: Account): Promise<Account>;
|
|
45
|
+
deleteAccountRequest(deviceId: DeviceId, deviceMetadata: RequestMetadata, input: DeleteAccountRequestInput, account: Account): Promise<void>;
|
|
46
|
+
deleteAccountConfirm(deviceId: DeviceId, deviceMetadata: RequestMetadata, input: DeleteAccountConfirmInput, account: Account): Promise<void>;
|
|
43
47
|
}
|
|
44
48
|
//# sourceMappingURL=account-manager.d.ts.map
|
|
@@ -1 +1 @@
|
|
|
1
|
-
{"version":3,"file":"account-manager.d.ts","sourceRoot":"","sources":["../../src/account/account-manager.ts"],"names":[],"mappings":"AAAA,OAAO,EACL,qBAAqB,EAEtB,MAAM,sBAAsB,CAAA;AAC7B,OAAO,EAAE,QAAQ,EAAE,MAAM,wBAAwB,CAAA;AACjD,OAAO,EAAE,MAAM,EAAE,MAAM,qBAAqB,CAAA;AAC5C,OAAO,EAAE,QAAQ,EAAE,MAAM,wBAAwB,CAAA;AAGjD,OAAO,EAAE,cAAc,EAAE,oBAAoB,EAAE,MAAM,oBAAoB,CAAA;AAGzE,OAAO,EAAE,UAAU,EAAE,eAAe,EAAE,MAAM,mBAAmB,CAAA;AAC/D,OAAO,EAAE,aAAa,EAAE,MAAM,sBAAsB,CAAA;AACpD,OAAO,
|
|
1
|
+
{"version":3,"file":"account-manager.d.ts","sourceRoot":"","sources":["../../src/account/account-manager.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,GAAG,EAAE,MAAM,cAAc,CAAA;AAClC,OAAO,EACL,qBAAqB,EAEtB,MAAM,sBAAsB,CAAA;AAC7B,OAAO,EAAE,QAAQ,EAAE,MAAM,wBAAwB,CAAA;AACjD,OAAO,EAAE,MAAM,EAAE,MAAM,qBAAqB,CAAA;AAC5C,OAAO,EAAE,QAAQ,EAAE,MAAM,wBAAwB,CAAA;AAGjD,OAAO,EAAE,cAAc,EAAE,oBAAoB,EAAE,MAAM,oBAAoB,CAAA;AAGzE,OAAO,EAAE,UAAU,EAAE,eAAe,EAAE,MAAM,mBAAmB,CAAA;AAC/D,OAAO,EAAE,aAAa,EAAE,MAAM,sBAAsB,CAAA;AACpD,OAAO,EACL,OAAO,EACP,YAAY,EACZ,oBAAoB,EACpB,yBAAyB,EACzB,yBAAyB,EACzB,aAAa,EACb,yBAAyB,EACzB,yBAAyB,EACzB,UAAU,EACV,uBAAuB,EACvB,uBAAuB,EACvB,gBAAgB,EAChB,uBAAuB,EACvB,uBAAuB,EACxB,MAAM,oBAAoB,CAAA;AAC3B,OAAO,EAAE,UAAU,EAAE,MAAM,mBAAmB,CAAA;AAC9C,OAAO,EAAE,WAAW,EAAE,MAAM,oBAAoB,CAAA;AAOhD,qBAAa,cAAc;IAMvB,SAAS,CAAC,QAAQ,CAAC,KAAK,EAAE,YAAY;IACtC,SAAS,CAAC,QAAQ,CAAC,KAAK,EAAE,UAAU;IANtC,SAAS,CAAC,QAAQ,CAAC,kBAAkB,EAAE,OAAO,CAAA;IAC9C,SAAS,CAAC,QAAQ,CAAC,cAAc,CAAC,EAAE,cAAc,CAAA;IAElD,YACE,MAAM,EAAE,qBAAqB,EACV,KAAK,EAAE,YAAY,EACnB,KAAK,EAAE,UAAU,EACpC,aAAa,EAAE,aAAa,EAM7B;IAED,UAAgB,oBAAoB,CAClC,KAAK,EAAE,WAAW,EAClB,QAAQ,EAAE,QAAQ,EAClB,cAAc,EAAE,eAAe,GAC9B,OAAO,CAAC,oBAAoB,GAAG,SAAS,CAAC,CAoC3C;IAED,UAAgB,iBAAiB,CAC/B,KAAK,EAAE,WAAW,EAClB,SAAS,EAAE,QAAQ,EACnB,eAAe,EAAE,eAAe,GAC/B,OAAO,CAAC,MAAM,GAAG,SAAS,CAAC,CAU7B;IAED,UAAgB,eAAe,CAC7B,KAAK,EAAE,WAAW,EAClB,QAAQ,EAAE,QAAQ,EAClB,cAAc,EAAE,eAAe,GAC9B,OAAO,CAAC,UAAU,CAAC,CAOrB;IAEY,aAAa,CACxB,QAAQ,EAAE,QAAQ,EAClB,cAAc,EAAE,eAAe,EAC/B,KAAK,EAAE,WAAW,GACjB,OAAO,CAAC,OAAO,CAAC,CAkClB;IAEY,mBAAmB,CAC9B,QAAQ,EAAE,QAAQ,EAClB,cAAc,EAAE,eAAe,EAC/B,IAAI,EAAE,UAAU,EAChB,QAAQ,CAAC,EAAE,QAAQ,GAClB,OAAO,CAAC,OAAO,CAAC,CAgElB;IAEY,mBAAmB,CAC9B,QAAQ,EAAE,QAAQ,EAClB,GAAG,EAAE,GAAG,GACP,OAAO,CAAC,IAAI,CAAC,CAEf;IAEY,gBAAgB,CAC3B,QAAQ,EAAE,QAAQ,EAClB,GAAG,EAAE,GAAG,GACP,OAAO,CAAC,aAAa,CAAC,CAKxB;IAEY,mBAAmB,CAC9B,OAAO,EAAE,OAAO,EAChB,MAAM,EAAE,MAAM,EACd,IAAI,EAAE,oBAAoB,GACzB,OAAO,CAAC,IAAI,CAAC,CAKf;IAEY,UAAU,CAAC,GAAG,EAAE,GAAG;;;OAE/B;IAEY,mBAAmB,CAAC,QAAQ,EAAE,QAAQ,EAAE,GAAG,EAAE,GAAG,iBAE5D;IAEY,kBAAkB,CAC7B,QAAQ,EAAE,QAAQ,GACjB,OAAO,CAAC,aAAa,EAAE,CAAC,CAO1B;IAEY,kBAAkB,CAAC,GAAG,EAAE,GAAG,GAAG,OAAO,CAAC,aAAa,EAAE,CAAC,CAOlE;IAEY,oBAAoB,CAC/B,QAAQ,EAAE,QAAQ,EAClB,cAAc,EAAE,eAAe,EAC/B,KAAK,EAAE,yBAAyB,iBAoBjC;IAEY,oBAAoB,CAC/B,QAAQ,EAAE,QAAQ,EAClB,cAAc,EAAE,eAAe,EAC/B,KAAK,EAAE,yBAAyB,oBAwBjC;IAEY,wBAAwB,CAAC,MAAM,EAAE,MAAM,GAAG,OAAO,CAAC,IAAI,CAAC,CAInE;IAEY,kBAAkB,CAC7B,QAAQ,EAAE,QAAQ,EAClB,cAAc,EAAE,eAAe,EAC/B,KAAK,EAAE,uBAAuB,EAC9B,OAAO,EAAE,OAAO,GACf,OAAO,CAAC;QAAE,aAAa,EAAE,OAAO,CAAA;KAAE,CAAC,CAkBrC;IAEY,kBAAkB,CAC7B,QAAQ,EAAE,QAAQ,EAClB,cAAc,EAAE,eAAe,EAC/B,KAAK,EAAE,uBAAuB,EAC9B,OAAO,EAAE,OAAO,GACf,OAAO,CAAC,OAAO,CAAC,CAsBlB;IAEY,kBAAkB,CAC7B,QAAQ,EAAE,QAAQ,EAClB,cAAc,EAAE,eAAe,EAC/B,KAAK,EAAE,uBAAuB,EAC9B,OAAO,EAAE,OAAO,GACf,OAAO,CAAC,IAAI,CAAC,CAgBf;IAEY,kBAAkB,CAC7B,QAAQ,EAAE,QAAQ,EAClB,cAAc,EAAE,eAAe,EAC/B,KAAK,EAAE,uBAAuB,EAC9B,OAAO,EAAE,OAAO,GACf,OAAO,CAAC,OAAO,CAAC,CAsBlB;IAEY,YAAY,CACvB,QAAQ,EAAE,QAAQ,EAClB,cAAc,EAAE,eAAe,EAC/B,KAAK,EAAE,gBAAgB,EACvB,OAAO,EAAE,OAAO,GACf,OAAO,CAAC,OAAO,CAAC,CAkBlB;IAEY,iBAAiB,CAC5B,QAAQ,EAAE,QAAQ,EAClB,cAAc,EAAE,eAAe,EAC/B,OAAO,EAAE,OAAO,GACf,OAAO,CAAC,OAAO,CAAC,CAoBlB;IAEY,iBAAiB,CAC5B,QAAQ,EAAE,QAAQ,EAClB,cAAc,EAAE,eAAe,EAC/B,OAAO,EAAE,OAAO,GACf,OAAO,CAAC,OAAO,CAAC,CAoBlB;IAEY,oBAAoB,CAC/B,QAAQ,EAAE,QAAQ,EAClB,cAAc,EAAE,eAAe,EAC/B,KAAK,EAAE,yBAAyB,EAChC,OAAO,EAAE,OAAO,GACf,OAAO,CAAC,IAAI,CAAC,CAcf;IAEY,oBAAoB,CAC/B,QAAQ,EAAE,QAAQ,EAClB,cAAc,EAAE,eAAe,EAC/B,KAAK,EAAE,yBAAyB,EAChC,OAAO,EAAE,OAAO,GACf,OAAO,CAAC,IAAI,CAAC,CAqBf;CACF"}
|
|
@@ -81,7 +81,7 @@ export class AccountManager {
|
|
|
81
81
|
return account;
|
|
82
82
|
}
|
|
83
83
|
catch (err) {
|
|
84
|
-
await this.removeDeviceAccount(deviceId, account.
|
|
84
|
+
await this.removeDeviceAccount(deviceId, account.did);
|
|
85
85
|
throw InvalidRequestError.from(err, 'The account was successfully created but something went wrong, try signing-in.');
|
|
86
86
|
}
|
|
87
87
|
});
|
|
@@ -106,14 +106,14 @@ export class AccountManager {
|
|
|
106
106
|
// This information is only exposed to the hook and is never
|
|
107
107
|
// surfaced to the client.
|
|
108
108
|
const isCredentialsError = err instanceof InvalidCredentialsError;
|
|
109
|
-
const
|
|
109
|
+
const did = isCredentialsError ? err.did ?? null : null;
|
|
110
110
|
// Swallow any error from the hook itself so that it does not mask
|
|
111
111
|
// the underlying authentication failure being reported.
|
|
112
112
|
try {
|
|
113
113
|
await this.hooks.onSignInFailed?.call(null, {
|
|
114
114
|
data,
|
|
115
115
|
error: err,
|
|
116
|
-
|
|
116
|
+
did,
|
|
117
117
|
deviceId,
|
|
118
118
|
deviceMetadata,
|
|
119
119
|
clientId,
|
|
@@ -141,11 +141,11 @@ export class AccountManager {
|
|
|
141
141
|
throw InvalidRequestError.from(err, 'Unable to sign-in due to an unexpected server error');
|
|
142
142
|
});
|
|
143
143
|
}
|
|
144
|
-
async upsertDeviceAccount(deviceId,
|
|
145
|
-
await this.store.upsertDeviceAccount(deviceId,
|
|
144
|
+
async upsertDeviceAccount(deviceId, did) {
|
|
145
|
+
await this.store.upsertDeviceAccount(deviceId, did);
|
|
146
146
|
}
|
|
147
|
-
async getDeviceAccount(deviceId,
|
|
148
|
-
const deviceAccount = await this.store.getDeviceAccount(deviceId,
|
|
147
|
+
async getDeviceAccount(deviceId, did) {
|
|
148
|
+
const deviceAccount = await this.store.getDeviceAccount(deviceId, did);
|
|
149
149
|
if (!deviceAccount)
|
|
150
150
|
throw new InvalidRequestError(`Account not found`);
|
|
151
151
|
return deviceAccount;
|
|
@@ -154,13 +154,13 @@ export class AccountManager {
|
|
|
154
154
|
// "Loopback" clients are not distinguishable from one another.
|
|
155
155
|
if (isOAuthClientIdLoopback(client.id))
|
|
156
156
|
return;
|
|
157
|
-
await this.store.setAuthorizedClient(account.
|
|
157
|
+
await this.store.setAuthorizedClient(account.did, client.id, data);
|
|
158
158
|
}
|
|
159
|
-
async getAccount(
|
|
160
|
-
return this.store.getAccount(
|
|
159
|
+
async getAccount(did) {
|
|
160
|
+
return this.store.getAccount(did);
|
|
161
161
|
}
|
|
162
|
-
async removeDeviceAccount(deviceId,
|
|
163
|
-
return this.store.removeDeviceAccount(deviceId,
|
|
162
|
+
async removeDeviceAccount(deviceId, did) {
|
|
163
|
+
return this.store.removeDeviceAccount(deviceId, did);
|
|
164
164
|
}
|
|
165
165
|
async listDeviceAccounts(deviceId) {
|
|
166
166
|
const deviceAccounts = await this.store.listDeviceAccounts({
|
|
@@ -169,12 +169,12 @@ export class AccountManager {
|
|
|
169
169
|
return deviceAccounts // Fool proof
|
|
170
170
|
.filter((deviceAccount) => deviceAccount.deviceId === deviceId);
|
|
171
171
|
}
|
|
172
|
-
async listAccountDevices(
|
|
172
|
+
async listAccountDevices(did) {
|
|
173
173
|
const deviceAccounts = await this.store.listDeviceAccounts({
|
|
174
|
-
|
|
174
|
+
did,
|
|
175
175
|
});
|
|
176
176
|
return deviceAccounts // Fool proof
|
|
177
|
-
.filter((deviceAccount) => deviceAccount.account.
|
|
177
|
+
.filter((deviceAccount) => deviceAccount.account.did === did);
|
|
178
178
|
}
|
|
179
179
|
async resetPasswordRequest(deviceId, deviceMetadata, input) {
|
|
180
180
|
return constantTime(TIMING_ATTACK_MITIGATION_DELAY, async () => {
|
|
@@ -257,23 +257,23 @@ export class AccountManager {
|
|
|
257
257
|
await this.hooks.onVerifyEmailRequest?.call(null, {
|
|
258
258
|
deviceId,
|
|
259
259
|
deviceMetadata,
|
|
260
|
-
input,
|
|
261
260
|
account,
|
|
261
|
+
input,
|
|
262
262
|
});
|
|
263
263
|
await this.store.verifyEmailRequest(input);
|
|
264
264
|
await this.hooks.onVerifyEmailRequested?.call(null, {
|
|
265
265
|
deviceId,
|
|
266
266
|
deviceMetadata,
|
|
267
|
-
input,
|
|
268
267
|
account,
|
|
268
|
+
input,
|
|
269
269
|
});
|
|
270
270
|
}
|
|
271
271
|
async verifyEmailConfirm(deviceId, deviceMetadata, input, account) {
|
|
272
272
|
await this.hooks.onVerifyEmailConfirm?.call(null, {
|
|
273
273
|
deviceId,
|
|
274
274
|
deviceMetadata,
|
|
275
|
-
input,
|
|
276
275
|
account,
|
|
276
|
+
input,
|
|
277
277
|
});
|
|
278
278
|
const updatedAccount = await this.store.verifyEmailConfirm(input);
|
|
279
279
|
if (!updatedAccount) {
|
|
@@ -282,8 +282,8 @@ export class AccountManager {
|
|
|
282
282
|
await this.hooks.onVerifyEmailConfirmed?.call(null, {
|
|
283
283
|
deviceId,
|
|
284
284
|
deviceMetadata,
|
|
285
|
-
input,
|
|
286
285
|
account: updatedAccount,
|
|
286
|
+
input,
|
|
287
287
|
});
|
|
288
288
|
return updatedAccount;
|
|
289
289
|
}
|
|
@@ -303,5 +303,68 @@ export class AccountManager {
|
|
|
303
303
|
});
|
|
304
304
|
return updatedAccount;
|
|
305
305
|
}
|
|
306
|
+
async deactivateAccount(deviceId, deviceMetadata, account) {
|
|
307
|
+
await this.hooks.onDeactivateAccount?.call(null, {
|
|
308
|
+
deviceId,
|
|
309
|
+
deviceMetadata,
|
|
310
|
+
account,
|
|
311
|
+
});
|
|
312
|
+
const updatedAccount = await callAsync(() => this.store.deactivateAccount({ did: account.did })).catch((err) => {
|
|
313
|
+
throw InvalidRequestError.from(err, 'Account deactivation failed');
|
|
314
|
+
});
|
|
315
|
+
await this.hooks.onDeactivatedAccount?.call(null, {
|
|
316
|
+
deviceId,
|
|
317
|
+
deviceMetadata,
|
|
318
|
+
account: updatedAccount,
|
|
319
|
+
});
|
|
320
|
+
return updatedAccount;
|
|
321
|
+
}
|
|
322
|
+
async reactivateAccount(deviceId, deviceMetadata, account) {
|
|
323
|
+
await this.hooks.onReactivateAccount?.call(null, {
|
|
324
|
+
deviceId,
|
|
325
|
+
deviceMetadata,
|
|
326
|
+
account,
|
|
327
|
+
});
|
|
328
|
+
const updatedAccount = await callAsync(() => this.store.reactivateAccount({ did: account.did })).catch((err) => {
|
|
329
|
+
throw InvalidRequestError.from(err, 'Account reactivation failed');
|
|
330
|
+
});
|
|
331
|
+
await this.hooks.onReactivatedAccount?.call(null, {
|
|
332
|
+
deviceId,
|
|
333
|
+
deviceMetadata,
|
|
334
|
+
account: updatedAccount,
|
|
335
|
+
});
|
|
336
|
+
return updatedAccount;
|
|
337
|
+
}
|
|
338
|
+
async deleteAccountRequest(deviceId, deviceMetadata, input, account) {
|
|
339
|
+
await this.hooks.onDeleteAccountRequest?.call(null, {
|
|
340
|
+
deviceId,
|
|
341
|
+
deviceMetadata,
|
|
342
|
+
account,
|
|
343
|
+
});
|
|
344
|
+
await this.store.deleteAccountRequest(input);
|
|
345
|
+
await this.hooks.onDeleteAccountRequested?.call(null, {
|
|
346
|
+
deviceId,
|
|
347
|
+
deviceMetadata,
|
|
348
|
+
account,
|
|
349
|
+
});
|
|
350
|
+
}
|
|
351
|
+
async deleteAccountConfirm(deviceId, deviceMetadata, input, account) {
|
|
352
|
+
return constantTime(BRUTE_FORCE_MITIGATION_DELAY, async () => {
|
|
353
|
+
await this.hooks.onDeleteAccountConfirm?.call(null, {
|
|
354
|
+
deviceId,
|
|
355
|
+
deviceMetadata,
|
|
356
|
+
account,
|
|
357
|
+
});
|
|
358
|
+
await callAsync(() => this.store.deleteAccountConfirm(input)).catch((err) => {
|
|
359
|
+
throw InvalidRequestError.from(err, 'Account deletion failed');
|
|
360
|
+
});
|
|
361
|
+
await this.hooks.onDeleteAccountConfirmed?.call(null, {
|
|
362
|
+
deviceId,
|
|
363
|
+
deviceMetadata,
|
|
364
|
+
account,
|
|
365
|
+
input,
|
|
366
|
+
});
|
|
367
|
+
});
|
|
368
|
+
}
|
|
306
369
|
}
|
|
307
370
|
//# sourceMappingURL=account-manager.js.map
|
|
@@ -1 +1 @@
|
|
|
1
|
-
{"version":3,"file":"account-manager.js","sourceRoot":"","sources":["../../src/account/account-manager.ts"],"names":[],"mappings":"AAAA,OAAO,EAEL,uBAAuB,GACxB,MAAM,sBAAsB,CAAA;AAI7B,OAAO,EAAE,uBAAuB,EAAE,MAAM,wCAAwC,CAAA;AAChF,OAAO,EAAE,mBAAmB,EAAE,MAAM,oCAAoC,CAAA;AACxE,OAAO,EAAE,cAAc,EAAwB,MAAM,oBAAoB,CAAA;AACzE,OAAO,EAAE,SAAS,EAAE,MAAM,yBAAyB,CAAA;AACnD,OAAO,EAAE,YAAY,EAAE,MAAM,qBAAqB,CAAA;AAqBlD,MAAM,8BAA8B,GAAG,GAAG,CAAA;AAC1C,MAAM,4BAA4B,GAAG,GAAG,CAAA;AAExC,gDAAgD;AAEhD,MAAM,OAAO,cAAc;IAIzB,YACE,MAA6B,EACV,KAAmB,EACnB,KAAiB,EACpC,aAA4B;qBAFT,KAAK;qBACL,KAAK;QAGxB,IAAI,CAAC,kBAAkB,GAAG,aAAa,CAAC,kBAAkB,KAAK,KAAK,CAAA;QACpE,IAAI,CAAC,cAAc,GAAG,aAAa,CAAC,QAAQ;YAC1C,CAAC,CAAC,IAAI,cAAc,CAAC,IAAI,GAAG,CAAC,MAAM,CAAC,CAAC,QAAQ,EAAE,aAAa,CAAC,QAAQ,CAAC;YACtE,CAAC,CAAC,SAAS,CAAA;IACf,CAAC;IAES,KAAK,CAAC,oBAAoB,CAClC,KAAkB,EAClB,QAAkB,EAClB,cAA+B;QAE/B,IAAI,CAAC,IAAI,CAAC,cAAc,EAAE,CAAC;YACzB,OAAO,SAAS,CAAA;QAClB,CAAC;QAED,IAAI,CAAC,KAAK,CAAC,aAAa,EAAE,CAAC;YACzB,MAAM,IAAI,mBAAmB,CAAC,4BAA4B,CAAC,CAAA;QAC7D,CAAC;QAED,MAAM,MAAM,GAAG,IAAI,CAAC,cAAc,CAAC,iBAAiB,CAClD,cAAc,CAAC,SAAS,EACxB,KAAK,CAAC,MAAM,EACZ,cAAc,CAAC,SAAS,CACzB,CAAA;QAED,MAAM,MAAM,GAAG,MAAM,IAAI,CAAC,cAAc;aACrC,MAAM,CAAC,QAAQ,EAAE,KAAK,CAAC,aAAa,EAAE,cAAc,CAAC,SAAS,EAAE,MAAM,CAAC;aACvE,KAAK,CAAC,CAAC,GAAG,EAAE,EAAE;YACb,MAAM,mBAAmB,CAAC,IAAI,CAAC,GAAG,EAAE,8BAA8B,CAAC,CAAA;QACrE,CAAC,CAAC,CAAA;QAEJ,MAAM,IAAI,CAAC,KAAK,CAAC,gBAAgB,EAAE,IAAI,CAAC,IAAI,EAAE;YAC5C,KAAK;YACL,QAAQ;YACR,cAAc;YACd,MAAM;YACN,MAAM;SACP,CAAC,CAAA;QAEF,IAAI,CAAC;YACH,IAAI,CAAC,cAAc,CAAC,iBAAiB,CAAC,MAAM,EAAE,MAAM,CAAC,CAAA;QACvD,CAAC;QAAC,OAAO,GAAG,EAAE,CAAC;YACb,MAAM,mBAAmB,CAAC,IAAI,CAAC,GAAG,EAAE,8BAA8B,CAAC,CAAA;QACrE,CAAC;QAED,OAAO,MAAM,CAAA;IACf,CAAC;IAES,KAAK,CAAC,iBAAiB,CAC/B,KAAkB,EAClB,SAAmB,EACnB,eAAgC;QAEhC,IAAI,CAAC,IAAI,CAAC,kBAAkB,EAAE,CAAC;YAC7B,OAAO,SAAS,CAAA;QAClB,CAAC;QAED,IAAI,CAAC,KAAK,CAAC,UAAU,EAAE,CAAC;YACtB,MAAM,IAAI,mBAAmB,CAAC,yBAAyB,CAAC,CAAA;QAC1D,CAAC;QAED,OAAO,KAAK,CAAC,UAAU,CAAA;IACzB,CAAC;IAES,KAAK,CAAC,eAAe,CAC7B,KAAkB,EAClB,QAAkB,EAClB,cAA+B;QAE/B,MAAM,CAAC,cAAc,EAAE,UAAU,CAAC,GAAG,MAAM,OAAO,CAAC,GAAG,CAAC;YACrD,IAAI,CAAC,oBAAoB,CAAC,KAAK,EAAE,QAAQ,EAAE,cAAc,CAAC;YAC1D,IAAI,CAAC,iBAAiB,CAAC,KAAK,EAAE,QAAQ,EAAE,cAAc,CAAC;SACxD,CAAC,CAAA;QAEF,OAAO,EAAE,GAAG,KAAK,EAAE,cAAc,EAAE,UAAU,EAAE,CAAA;IACjD,CAAC;IAEM,KAAK,CAAC,aAAa,CACxB,QAAkB,EAClB,cAA+B,EAC/B,KAAkB;QAElB,OAAO,YAAY,CAAC,4BAA4B,EAAE,KAAK,IAAI,EAAE;YAC3D,MAAM,IAAI,CAAC,KAAK,CAAC,eAAe,EAAE,IAAI,CAAC,IAAI,EAAE;gBAC3C,KAAK;gBACL,QAAQ;gBACR,cAAc;aACf,CAAC,CAAA;YAEF,MAAM,IAAI,GAAG,MAAM,IAAI,CAAC,eAAe,CAAC,KAAK,EAAE,QAAQ,EAAE,cAAc,CAAC,CAAA;YAExE,MAAM,OAAO,GAAG,MAAM,SAAS,CAAC,GAAG,EAAE,CACnC,IAAI,CAAC,KAAK,CAAC,aAAa,CAAC,IAAI,CAAC,CAC/B,CAAC,KAAK,CAAC,CAAC,GAAG,EAAE,EAAE;gBACd,MAAM,mBAAmB,CAAC,IAAI,CAAC,GAAG,EAAE,yBAAyB,CAAC,CAAA;YAChE,CAAC,CAAC,CAAA;YAEF,IAAI,CAAC;gBACH,MAAM,IAAI,CAAC,KAAK,CAAC,UAAU,EAAE,IAAI,CAAC,IAAI,EAAE;oBACtC,IAAI;oBACJ,OAAO;oBACP,QAAQ;oBACR,cAAc;iBACf,CAAC,CAAA;gBAEF,OAAO,OAAO,CAAA;YAChB,CAAC;YAAC,OAAO,GAAG,EAAE,CAAC;gBACb,MAAM,IAAI,CAAC,mBAAmB,CAAC,QAAQ,EAAE,OAAO,CAAC,GAAG,CAAC,CAAA;gBAErD,MAAM,mBAAmB,CAAC,IAAI,CAC5B,GAAG,EACH,gFAAgF,CACjF,CAAA;YACH,CAAC;QACH,CAAC,CAAC,CAAA;IACJ,CAAC;IAEM,KAAK,CAAC,mBAAmB,CAC9B,QAAkB,EAClB,cAA+B,EAC/B,IAAgB,EAChB,QAAmB;QAEnB,OAAO,YAAY,CAAC,8BAA8B,EAAE,KAAK,IAAI,EAAE;YAC7D,MAAM,IAAI,CAAC,KAAK,CAAC,eAAe,EAAE,IAAI,CAAC,IAAI,EAAE;gBAC3C,IAAI;gBACJ,QAAQ;gBACR,cAAc;gBACd,QAAQ;aACT,CAAC,CAAA;YAEF,MAAM,OAAO,GAAG,MAAM,SAAS,CAAC,GAAG,EAAE,CACnC,IAAI,CAAC,KAAK,CAAC,mBAAmB,CAAC,IAAI,CAAC,CACrC,CAAC,KAAK,CAAC,KAAK,EAAE,GAAG,EAAE,EAAE;gBACpB,sEAAsE;gBACtE,uEAAuE;gBACvE,iEAAiE;gBACjE,yCAAyC;gBACzC,IAAI,GAAG,YAAY,mBAAmB,EAAE,CAAC;oBACvC,gEAAgE;oBAChE,2DAA2D;oBAC3D,gEAAgE;oBAChE,4DAA4D;oBAC5D,0BAA0B;oBAC1B,MAAM,kBAAkB,GAAG,GAAG,YAAY,uBAAuB,CAAA;oBACjE,MAAM,GAAG,GAAG,kBAAkB,CAAC,CAAC,CAAC,GAAG,CAAC,GAAG,IAAI,IAAI,CAAC,CAAC,CAAC,IAAI,CAAA;oBAEvD,kEAAkE;oBAClE,wDAAwD;oBACxD,IAAI,CAAC;wBACH,MAAM,IAAI,CAAC,KAAK,CAAC,cAAc,EAAE,IAAI,CAAC,IAAI,EAAE;4BAC1C,IAAI;4BACJ,KAAK,EAAE,GAAG;4BACV,GAAG;4BACH,QAAQ;4BACR,cAAc;4BACd,QAAQ;yBACT,CAAC,CAAA;oBACJ,CAAC;oBAAC,MAAM,CAAC;wBACP,OAAO;oBACT,CAAC;oBAED,IAAI,kBAAkB,EAAE,CAAC;wBACvB,uDAAuD;wBACvD,MAAM,IAAI,mBAAmB,CAAC,GAAG,CAAC,iBAAiB,CAAC,CAAA;oBACtD,CAAC;gBACH,CAAC;gBAED,MAAM,GAAG,CAAA;YACX,CAAC,CAAC,CAAA;YAEF,MAAM,IAAI,CAAC,KAAK,CAAC,UAAU,EAAE,IAAI,CAAC,IAAI,EAAE;gBACtC,IAAI;gBACJ,OAAO;gBACP,QAAQ;gBACR,cAAc;gBACd,QAAQ;aACT,CAAC,CAAA;YAEF,OAAO,OAAO,CAAA;QAChB,CAAC,CAAC,CAAC,KAAK,CAAC,CAAC,GAAG,EAAE,EAAE;YACf,MAAM,mBAAmB,CAAC,IAAI,CAC5B,GAAG,EACH,qDAAqD,CACtD,CAAA;QACH,CAAC,CAAC,CAAA;IACJ,CAAC;IAEM,KAAK,CAAC,mBAAmB,CAC9B,QAAkB,EAClB,GAAQ;QAER,MAAM,IAAI,CAAC,KAAK,CAAC,mBAAmB,CAAC,QAAQ,EAAE,GAAG,CAAC,CAAA;IACrD,CAAC;IAEM,KAAK,CAAC,gBAAgB,CAC3B,QAAkB,EAClB,GAAQ;QAER,MAAM,aAAa,GAAG,MAAM,IAAI,CAAC,KAAK,CAAC,gBAAgB,CAAC,QAAQ,EAAE,GAAG,CAAC,CAAA;QACtE,IAAI,CAAC,aAAa;YAAE,MAAM,IAAI,mBAAmB,CAAC,mBAAmB,CAAC,CAAA;QAEtE,OAAO,aAAa,CAAA;IACtB,CAAC;IAEM,KAAK,CAAC,mBAAmB,CAC9B,OAAgB,EAChB,MAAc,EACd,IAA0B;QAE1B,+DAA+D;QAC/D,IAAI,uBAAuB,CAAC,MAAM,CAAC,EAAE,CAAC;YAAE,OAAM;QAE9C,MAAM,IAAI,CAAC,KAAK,CAAC,mBAAmB,CAAC,OAAO,CAAC,GAAG,EAAE,MAAM,CAAC,EAAE,EAAE,IAAI,CAAC,CAAA;IACpE,CAAC;IAEM,KAAK,CAAC,UAAU,CAAC,GAAQ;QAC9B,OAAO,IAAI,CAAC,KAAK,CAAC,UAAU,CAAC,GAAG,CAAC,CAAA;IACnC,CAAC;IAEM,KAAK,CAAC,mBAAmB,CAAC,QAAkB,EAAE,GAAQ;QAC3D,OAAO,IAAI,CAAC,KAAK,CAAC,mBAAmB,CAAC,QAAQ,EAAE,GAAG,CAAC,CAAA;IACtD,CAAC;IAEM,KAAK,CAAC,kBAAkB,CAC7B,QAAkB;QAElB,MAAM,cAAc,GAAG,MAAM,IAAI,CAAC,KAAK,CAAC,kBAAkB,CAAC;YACzD,QAAQ;SACT,CAAC,CAAA;QAEF,OAAO,cAAc,CAAC,aAAa;aAChC,MAAM,CAAC,CAAC,aAAa,EAAE,EAAE,CAAC,aAAa,CAAC,QAAQ,KAAK,QAAQ,CAAC,CAAA;IACnE,CAAC;IAEM,KAAK,CAAC,kBAAkB,CAAC,GAAQ;QACtC,MAAM,cAAc,GAAG,MAAM,IAAI,CAAC,KAAK,CAAC,kBAAkB,CAAC;YACzD,GAAG;SACJ,CAAC,CAAA;QAEF,OAAO,cAAc,CAAC,aAAa;aAChC,MAAM,CAAC,CAAC,aAAa,EAAE,EAAE,CAAC,aAAa,CAAC,OAAO,CAAC,GAAG,KAAK,GAAG,CAAC,CAAA;IACjE,CAAC;IAEM,KAAK,CAAC,oBAAoB,CAC/B,QAAkB,EAClB,cAA+B,EAC/B,KAAgC;QAEhC,OAAO,YAAY,CAAC,8BAA8B,EAAE,KAAK,IAAI,EAAE;YAC7D,MAAM,IAAI,CAAC,KAAK,CAAC,sBAAsB,EAAE,IAAI,CAAC,IAAI,EAAE;gBAClD,KAAK;gBACL,QAAQ;gBACR,cAAc;aACf,CAAC,CAAA;YAEF,MAAM,OAAO,GAAG,MAAM,IAAI,CAAC,KAAK,CAAC,oBAAoB,CAAC,KAAK,CAAC,CAAA;YAE5D,uDAAuD;YAEvD,MAAM,IAAI,CAAC,KAAK,CAAC,wBAAwB,EAAE,IAAI,CAAC,IAAI,EAAE;gBACpD,KAAK;gBACL,QAAQ;gBACR,cAAc;gBACd,OAAO;aACR,CAAC,CAAA;QACJ,CAAC,CAAC,CAAA;IACJ,CAAC;IAEM,KAAK,CAAC,oBAAoB,CAC/B,QAAkB,EAClB,cAA+B,EAC/B,KAAgC;QAEhC,OAAO,YAAY,CAAC,8BAA8B,EAAE,KAAK,IAAI,EAAE;YAC7D,MAAM,IAAI,CAAC,KAAK,CAAC,sBAAsB,EAAE,IAAI,CAAC,IAAI,EAAE;gBAClD,KAAK;gBACL,QAAQ;gBACR,cAAc;aACf,CAAC,CAAA;YAEF,MAAM,OAAO,GAAG,MAAM,IAAI,CAAC,KAAK,CAAC,oBAAoB,CAAC,KAAK,CAAC,CAAA;YAE5D,IAAI,CAAC,OAAO,EAAE,CAAC;gBACb,MAAM,IAAI,mBAAmB,CAAC,eAAe,CAAC,CAAA;YAChD,CAAC;YAED,MAAM,IAAI,CAAC,KAAK,CAAC,wBAAwB,EAAE,IAAI,CAAC,IAAI,EAAE;gBACpD,KAAK;gBACL,QAAQ;gBACR,cAAc;gBACd,OAAO;aACR,CAAC,CAAA;YAEF,OAAO,OAAO,CAAA;QAChB,CAAC,CAAC,CAAA;IACJ,CAAC;IAEM,KAAK,CAAC,wBAAwB,CAAC,MAAc;QAClD,OAAO,YAAY,CAAC,8BAA8B,EAAE,KAAK,IAAI,EAAE;YAC7D,OAAO,IAAI,CAAC,KAAK,CAAC,wBAAwB,CAAC,MAAM,CAAC,CAAA;QACpD,CAAC,CAAC,CAAA;IACJ,CAAC;IAEM,KAAK,CAAC,kBAAkB,CAC7B,QAAkB,EAClB,cAA+B,EAC/B,KAA8B,EAC9B,OAAgB;QAEhB,MAAM,IAAI,CAAC,KAAK,CAAC,oBAAoB,EAAE,IAAI,CAAC,IAAI,EAAE;YAChD,QAAQ;YACR,cAAc;YACd,KAAK;YACL,OAAO;SACR,CAAC,CAAA;QAEF,MAAM,EAAE,aAAa,EAAE,GAAG,MAAM,IAAI,CAAC,KAAK,CAAC,kBAAkB,CAAC,KAAK,CAAC,CAAA;QAEpE,MAAM,IAAI,CAAC,KAAK,CAAC,sBAAsB,EAAE,IAAI,CAAC,IAAI,EAAE;YAClD,QAAQ;YACR,cAAc;YACd,KAAK;YACL,OAAO;SACR,CAAC,CAAA;QAEF,OAAO,EAAE,aAAa,EAAE,aAAa,KAAK,IAAI,EAAE,CAAA;IAClD,CAAC;IAEM,KAAK,CAAC,kBAAkB,CAC7B,QAAkB,EAClB,cAA+B,EAC/B,KAA8B,EAC9B,OAAgB;QAEhB,MAAM,IAAI,CAAC,KAAK,CAAC,oBAAoB,EAAE,IAAI,CAAC,IAAI,EAAE;YAChD,QAAQ;YACR,cAAc;YACd,KAAK;YACL,OAAO;SACR,CAAC,CAAA;QAEF,MAAM,cAAc,GAAG,MAAM,IAAI,CAAC,KAAK,CAAC,kBAAkB,CAAC,KAAK,CAAC,CAAA;QAEjE,IAAI,CAAC,cAAc,EAAE,CAAC;YACpB,MAAM,IAAI,mBAAmB,CAAC,eAAe,CAAC,CAAA;QAChD,CAAC;QAED,MAAM,IAAI,CAAC,KAAK,CAAC,sBAAsB,EAAE,IAAI,CAAC,IAAI,EAAE;YAClD,QAAQ;YACR,cAAc;YACd,KAAK;YACL,OAAO,EAAE,cAAc;SACxB,CAAC,CAAA;QAEF,OAAO,cAAc,CAAA;IACvB,CAAC;IAEM,KAAK,CAAC,kBAAkB,CAC7B,QAAkB,EAClB,cAA+B,EAC/B,KAA8B,EAC9B,OAAgB;QAEhB,MAAM,IAAI,CAAC,KAAK,CAAC,oBAAoB,EAAE,IAAI,CAAC,IAAI,EAAE;YAChD,QAAQ;YACR,cAAc;YACd,KAAK;YACL,OAAO;SACR,CAAC,CAAA;QAEF,MAAM,IAAI,CAAC,KAAK,CAAC,kBAAkB,CAAC,KAAK,CAAC,CAAA;QAE1C,MAAM,IAAI,CAAC,KAAK,CAAC,sBAAsB,EAAE,IAAI,CAAC,IAAI,EAAE;YAClD,QAAQ;YACR,cAAc;YACd,KAAK;YACL,OAAO;SACR,CAAC,CAAA;IACJ,CAAC;IAEM,KAAK,CAAC,kBAAkB,CAC7B,QAAkB,EAClB,cAA+B,EAC/B,KAA8B,EAC9B,OAAgB;QAEhB,MAAM,IAAI,CAAC,KAAK,CAAC,oBAAoB,EAAE,IAAI,CAAC,IAAI,EAAE;YAChD,QAAQ;YACR,cAAc;YACd,KAAK;YACL,OAAO;SACR,CAAC,CAAA;QAEF,MAAM,cAAc,GAAG,MAAM,IAAI,CAAC,KAAK,CAAC,kBAAkB,CAAC,KAAK,CAAC,CAAA;QAEjE,IAAI,CAAC,cAAc,EAAE,CAAC;YACpB,MAAM,IAAI,mBAAmB,CAAC,eAAe,CAAC,CAAA;QAChD,CAAC;QAED,MAAM,IAAI,CAAC,KAAK,CAAC,sBAAsB,EAAE,IAAI,CAAC,IAAI,EAAE;YAClD,QAAQ;YACR,cAAc;YACd,KAAK;YACL,OAAO,EAAE,cAAc;SACxB,CAAC,CAAA;QAEF,OAAO,cAAc,CAAA;IACvB,CAAC;IAEM,KAAK,CAAC,YAAY,CACvB,QAAkB,EAClB,cAA+B,EAC/B,KAAuB,EACvB,OAAgB;QAEhB,MAAM,IAAI,CAAC,KAAK,CAAC,cAAc,EAAE,IAAI,CAAC,IAAI,EAAE;YAC1C,QAAQ;YACR,cAAc;YACd,KAAK;YACL,OAAO;SACR,CAAC,CAAA;QAEF,MAAM,cAAc,GAAG,MAAM,IAAI,CAAC,KAAK,CAAC,YAAY,CAAC,KAAK,CAAC,CAAA;QAE3D,MAAM,IAAI,CAAC,KAAK,CAAC,eAAe,EAAE,IAAI,CAAC,IAAI,EAAE;YAC3C,QAAQ;YACR,cAAc;YACd,KAAK;YACL,OAAO,EAAE,cAAc;SACxB,CAAC,CAAA;QAEF,OAAO,cAAc,CAAA;IACvB,CAAC;CACF","sourcesContent":["import {\n OAuthIssuerIdentifier,\n isOAuthClientIdLoopback,\n} from '@atproto/oauth-types'\nimport { ClientId } from '../client/client-id.js'\nimport { Client } from '../client/client.js'\nimport { DeviceId } from '../device/device-id.js'\nimport { InvalidCredentialsError } from '../errors/invalid-credentials-error.js'\nimport { InvalidRequestError } from '../errors/invalid-request-error.js'\nimport { HCaptchaClient, HcaptchaVerifyResult } from '../lib/hcaptcha.js'\nimport { callAsync } from '../lib/util/function.js'\nimport { constantTime } from '../lib/util/time.js'\nimport { OAuthHooks, RequestMetadata } from '../oauth-hooks.js'\nimport { Customization } from '../oauth-provider.js'\nimport { Sub } from '../oidc/sub.js'\nimport {\n Account,\n AccountStore,\n AuthorizedClientData,\n DeviceAccount,\n ResetPasswordConfirmInput,\n ResetPasswordRequestInput,\n SignUpData,\n UpdateEmailConfirmInput,\n UpdateEmailRequestInput,\n UpdateHandleData,\n VerifyEmailConfirmInput,\n VerifyEmailRequestInput,\n} from './account-store.js'\nimport { SignInData } from './sign-in-data.js'\nimport { SignUpInput } from './sign-up-input.js'\n\nconst TIMING_ATTACK_MITIGATION_DELAY = 400\nconst BRUTE_FORCE_MITIGATION_DELAY = 300\n\n// @TODO Add rate limit to all the OAuth routes.\n\nexport class AccountManager {\n protected readonly inviteCodeRequired: boolean\n protected readonly hcaptchaClient?: HCaptchaClient\n\n constructor(\n issuer: OAuthIssuerIdentifier,\n protected readonly store: AccountStore,\n protected readonly hooks: OAuthHooks,\n customization: Customization,\n ) {\n this.inviteCodeRequired = customization.inviteCodeRequired !== false\n this.hcaptchaClient = customization.hcaptcha\n ? new HCaptchaClient(new URL(issuer).hostname, customization.hcaptcha)\n : undefined\n }\n\n protected async processHcaptchaToken(\n input: SignUpInput,\n deviceId: DeviceId,\n deviceMetadata: RequestMetadata,\n ): Promise<HcaptchaVerifyResult | undefined> {\n if (!this.hcaptchaClient) {\n return undefined\n }\n\n if (!input.hcaptchaToken) {\n throw new InvalidRequestError('hCaptcha token is required')\n }\n\n const tokens = this.hcaptchaClient.buildClientTokens(\n deviceMetadata.ipAddress,\n input.handle,\n deviceMetadata.userAgent,\n )\n\n const result = await this.hcaptchaClient\n .verify('signup', input.hcaptchaToken, deviceMetadata.ipAddress, tokens)\n .catch((err) => {\n throw InvalidRequestError.from(err, 'hCaptcha verification failed')\n })\n\n await this.hooks.onHcaptchaResult?.call(null, {\n input,\n deviceId,\n deviceMetadata,\n tokens,\n result,\n })\n\n try {\n this.hcaptchaClient.checkVerifyResult(result, tokens)\n } catch (err) {\n throw InvalidRequestError.from(err, 'hCaptcha verification failed')\n }\n\n return result\n }\n\n protected async enforceInviteCode(\n input: SignUpInput,\n _deviceId: DeviceId,\n _deviceMetadata: RequestMetadata,\n ): Promise<string | undefined> {\n if (!this.inviteCodeRequired) {\n return undefined\n }\n\n if (!input.inviteCode) {\n throw new InvalidRequestError('Invite code is required')\n }\n\n return input.inviteCode\n }\n\n protected async buildSignupData(\n input: SignUpInput,\n deviceId: DeviceId,\n deviceMetadata: RequestMetadata,\n ): Promise<SignUpData> {\n const [hcaptchaResult, inviteCode] = await Promise.all([\n this.processHcaptchaToken(input, deviceId, deviceMetadata),\n this.enforceInviteCode(input, deviceId, deviceMetadata),\n ])\n\n return { ...input, hcaptchaResult, inviteCode }\n }\n\n public async createAccount(\n deviceId: DeviceId,\n deviceMetadata: RequestMetadata,\n input: SignUpInput,\n ): Promise<Account> {\n return constantTime(BRUTE_FORCE_MITIGATION_DELAY, async () => {\n await this.hooks.onSignUpAttempt?.call(null, {\n input,\n deviceId,\n deviceMetadata,\n })\n\n const data = await this.buildSignupData(input, deviceId, deviceMetadata)\n\n const account = await callAsync(() =>\n this.store.createAccount(data),\n ).catch((err) => {\n throw InvalidRequestError.from(err, 'Account creation failed')\n })\n\n try {\n await this.hooks.onSignedUp?.call(null, {\n data,\n account,\n deviceId,\n deviceMetadata,\n })\n\n return account\n } catch (err) {\n await this.removeDeviceAccount(deviceId, account.sub)\n\n throw InvalidRequestError.from(\n err,\n 'The account was successfully created but something went wrong, try signing-in.',\n )\n }\n })\n }\n\n public async authenticateAccount(\n deviceId: DeviceId,\n deviceMetadata: RequestMetadata,\n data: SignInData,\n clientId?: ClientId,\n ): Promise<Account> {\n return constantTime(TIMING_ATTACK_MITIGATION_DELAY, async () => {\n await this.hooks.onSignInAttempt?.call(null, {\n data,\n deviceId,\n deviceMetadata,\n clientId,\n })\n\n const account = await callAsync(() =>\n this.store.authenticateAccount(data),\n ).catch(async (err) => {\n // Only notify for credential failures (e.g. unknown identifier, wrong\n // password). Server errors and flows that require an additional factor\n // (e.g. SecondAuthenticationFactorRequiredError) are not \"failed\n // sign-ins\" and do not trigger the hook.\n if (err instanceof InvalidRequestError) {\n // Stores that throw the more specific `InvalidCredentialsError`\n // can attach the matched subject identifier to distinguish\n // \"identifier known, password wrong\" from \"identifier unknown\".\n // This information is only exposed to the hook and is never\n // surfaced to the client.\n const isCredentialsError = err instanceof InvalidCredentialsError\n const sub = isCredentialsError ? err.sub ?? null : null\n\n // Swallow any error from the hook itself so that it does not mask\n // the underlying authentication failure being reported.\n try {\n await this.hooks.onSignInFailed?.call(null, {\n data,\n error: err,\n sub,\n deviceId,\n deviceMetadata,\n clientId,\n })\n } catch {\n // noop\n }\n\n if (isCredentialsError) {\n // Defensively downgrade to a plain InvalidRequestError\n throw new InvalidRequestError(err.error_description)\n }\n }\n\n throw err\n })\n\n await this.hooks.onSignedIn?.call(null, {\n data,\n account,\n deviceId,\n deviceMetadata,\n clientId,\n })\n\n return account\n }).catch((err) => {\n throw InvalidRequestError.from(\n err,\n 'Unable to sign-in due to an unexpected server error',\n )\n })\n }\n\n public async upsertDeviceAccount(\n deviceId: DeviceId,\n sub: Sub,\n ): Promise<void> {\n await this.store.upsertDeviceAccount(deviceId, sub)\n }\n\n public async getDeviceAccount(\n deviceId: DeviceId,\n sub: Sub,\n ): Promise<DeviceAccount> {\n const deviceAccount = await this.store.getDeviceAccount(deviceId, sub)\n if (!deviceAccount) throw new InvalidRequestError(`Account not found`)\n\n return deviceAccount\n }\n\n public async setAuthorizedClient(\n account: Account,\n client: Client,\n data: AuthorizedClientData,\n ): Promise<void> {\n // \"Loopback\" clients are not distinguishable from one another.\n if (isOAuthClientIdLoopback(client.id)) return\n\n await this.store.setAuthorizedClient(account.sub, client.id, data)\n }\n\n public async getAccount(sub: Sub) {\n return this.store.getAccount(sub)\n }\n\n public async removeDeviceAccount(deviceId: DeviceId, sub: Sub) {\n return this.store.removeDeviceAccount(deviceId, sub)\n }\n\n public async listDeviceAccounts(\n deviceId: DeviceId,\n ): Promise<DeviceAccount[]> {\n const deviceAccounts = await this.store.listDeviceAccounts({\n deviceId,\n })\n\n return deviceAccounts // Fool proof\n .filter((deviceAccount) => deviceAccount.deviceId === deviceId)\n }\n\n public async listAccountDevices(sub: Sub): Promise<DeviceAccount[]> {\n const deviceAccounts = await this.store.listDeviceAccounts({\n sub,\n })\n\n return deviceAccounts // Fool proof\n .filter((deviceAccount) => deviceAccount.account.sub === sub)\n }\n\n public async resetPasswordRequest(\n deviceId: DeviceId,\n deviceMetadata: RequestMetadata,\n input: ResetPasswordRequestInput,\n ) {\n return constantTime(TIMING_ATTACK_MITIGATION_DELAY, async () => {\n await this.hooks.onResetPasswordRequest?.call(null, {\n input,\n deviceId,\n deviceMetadata,\n })\n\n const account = await this.store.resetPasswordRequest(input)\n\n // @NOTE Do not throw here, to prevent user enumeration\n\n await this.hooks.onResetPasswordRequested?.call(null, {\n input,\n deviceId,\n deviceMetadata,\n account,\n })\n })\n }\n\n public async resetPasswordConfirm(\n deviceId: DeviceId,\n deviceMetadata: RequestMetadata,\n input: ResetPasswordConfirmInput,\n ) {\n return constantTime(TIMING_ATTACK_MITIGATION_DELAY, async () => {\n await this.hooks.onResetPasswordConfirm?.call(null, {\n input,\n deviceId,\n deviceMetadata,\n })\n\n const account = await this.store.resetPasswordConfirm(input)\n\n if (!account) {\n throw new InvalidRequestError('Invalid token')\n }\n\n await this.hooks.onResetPasswordConfirmed?.call(null, {\n input,\n deviceId,\n deviceMetadata,\n account,\n })\n\n return account\n })\n }\n\n public async verifyHandleAvailability(handle: string): Promise<void> {\n return constantTime(TIMING_ATTACK_MITIGATION_DELAY, async () => {\n return this.store.verifyHandleAvailability(handle)\n })\n }\n\n public async updateEmailRequest(\n deviceId: DeviceId,\n deviceMetadata: RequestMetadata,\n input: UpdateEmailRequestInput,\n account: Account,\n ): Promise<{ tokenRequired: boolean }> {\n await this.hooks.onChangeEmailRequest?.call(null, {\n deviceId,\n deviceMetadata,\n input,\n account,\n })\n\n const { tokenRequired } = await this.store.updateEmailRequest(input)\n\n await this.hooks.onChangeEmailRequested?.call(null, {\n deviceId,\n deviceMetadata,\n input,\n account,\n })\n\n return { tokenRequired: tokenRequired === true }\n }\n\n public async updateEmailConfirm(\n deviceId: DeviceId,\n deviceMetadata: RequestMetadata,\n input: UpdateEmailConfirmInput,\n account: Account,\n ): Promise<Account> {\n await this.hooks.onUpdateEmailConfirm?.call(null, {\n deviceId,\n deviceMetadata,\n input,\n account,\n })\n\n const updatedAccount = await this.store.updateEmailConfirm(input)\n\n if (!updatedAccount) {\n throw new InvalidRequestError('Invalid token')\n }\n\n await this.hooks.onUpdateEmailConfirmed?.call(null, {\n deviceId,\n deviceMetadata,\n input,\n account: updatedAccount,\n })\n\n return updatedAccount\n }\n\n public async verifyEmailRequest(\n deviceId: DeviceId,\n deviceMetadata: RequestMetadata,\n input: VerifyEmailRequestInput,\n account: Account,\n ): Promise<void> {\n await this.hooks.onVerifyEmailRequest?.call(null, {\n deviceId,\n deviceMetadata,\n input,\n account,\n })\n\n await this.store.verifyEmailRequest(input)\n\n await this.hooks.onVerifyEmailRequested?.call(null, {\n deviceId,\n deviceMetadata,\n input,\n account,\n })\n }\n\n public async verifyEmailConfirm(\n deviceId: DeviceId,\n deviceMetadata: RequestMetadata,\n input: VerifyEmailConfirmInput,\n account: Account,\n ): Promise<Account> {\n await this.hooks.onVerifyEmailConfirm?.call(null, {\n deviceId,\n deviceMetadata,\n input,\n account,\n })\n\n const updatedAccount = await this.store.verifyEmailConfirm(input)\n\n if (!updatedAccount) {\n throw new InvalidRequestError('Invalid token')\n }\n\n await this.hooks.onVerifyEmailConfirmed?.call(null, {\n deviceId,\n deviceMetadata,\n input,\n account: updatedAccount,\n })\n\n return updatedAccount\n }\n\n public async updateHandle(\n deviceId: DeviceId,\n deviceMetadata: RequestMetadata,\n input: UpdateHandleData,\n account: Account,\n ): Promise<Account> {\n await this.hooks.onUpdateHandle?.call(null, {\n deviceId,\n deviceMetadata,\n input,\n account,\n })\n\n const updatedAccount = await this.store.updateHandle(input)\n\n await this.hooks.onUpdatedHandle?.call(null, {\n deviceId,\n deviceMetadata,\n input,\n account: updatedAccount,\n })\n\n return updatedAccount\n }\n}\n"]}
|
|
1
|
+
{"version":3,"file":"account-manager.js","sourceRoot":"","sources":["../../src/account/account-manager.ts"],"names":[],"mappings":"AACA,OAAO,EAEL,uBAAuB,GACxB,MAAM,sBAAsB,CAAA;AAI7B,OAAO,EAAE,uBAAuB,EAAE,MAAM,wCAAwC,CAAA;AAChF,OAAO,EAAE,mBAAmB,EAAE,MAAM,oCAAoC,CAAA;AACxE,OAAO,EAAE,cAAc,EAAwB,MAAM,oBAAoB,CAAA;AACzE,OAAO,EAAE,SAAS,EAAE,MAAM,yBAAyB,CAAA;AACnD,OAAO,EAAE,YAAY,EAAE,MAAM,qBAAqB,CAAA;AAsBlD,MAAM,8BAA8B,GAAG,GAAG,CAAA;AAC1C,MAAM,4BAA4B,GAAG,GAAG,CAAA;AAExC,gDAAgD;AAEhD,MAAM,OAAO,cAAc;IAIzB,YACE,MAA6B,EACV,KAAmB,EACnB,KAAiB,EACpC,aAA4B;qBAFT,KAAK;qBACL,KAAK;QAGxB,IAAI,CAAC,kBAAkB,GAAG,aAAa,CAAC,kBAAkB,KAAK,KAAK,CAAA;QACpE,IAAI,CAAC,cAAc,GAAG,aAAa,CAAC,QAAQ;YAC1C,CAAC,CAAC,IAAI,cAAc,CAAC,IAAI,GAAG,CAAC,MAAM,CAAC,CAAC,QAAQ,EAAE,aAAa,CAAC,QAAQ,CAAC;YACtE,CAAC,CAAC,SAAS,CAAA;IACf,CAAC;IAES,KAAK,CAAC,oBAAoB,CAClC,KAAkB,EAClB,QAAkB,EAClB,cAA+B;QAE/B,IAAI,CAAC,IAAI,CAAC,cAAc,EAAE,CAAC;YACzB,OAAO,SAAS,CAAA;QAClB,CAAC;QAED,IAAI,CAAC,KAAK,CAAC,aAAa,EAAE,CAAC;YACzB,MAAM,IAAI,mBAAmB,CAAC,4BAA4B,CAAC,CAAA;QAC7D,CAAC;QAED,MAAM,MAAM,GAAG,IAAI,CAAC,cAAc,CAAC,iBAAiB,CAClD,cAAc,CAAC,SAAS,EACxB,KAAK,CAAC,MAAM,EACZ,cAAc,CAAC,SAAS,CACzB,CAAA;QAED,MAAM,MAAM,GAAG,MAAM,IAAI,CAAC,cAAc;aACrC,MAAM,CAAC,QAAQ,EAAE,KAAK,CAAC,aAAa,EAAE,cAAc,CAAC,SAAS,EAAE,MAAM,CAAC;aACvE,KAAK,CAAC,CAAC,GAAG,EAAE,EAAE;YACb,MAAM,mBAAmB,CAAC,IAAI,CAAC,GAAG,EAAE,8BAA8B,CAAC,CAAA;QACrE,CAAC,CAAC,CAAA;QAEJ,MAAM,IAAI,CAAC,KAAK,CAAC,gBAAgB,EAAE,IAAI,CAAC,IAAI,EAAE;YAC5C,KAAK;YACL,QAAQ;YACR,cAAc;YACd,MAAM;YACN,MAAM;SACP,CAAC,CAAA;QAEF,IAAI,CAAC;YACH,IAAI,CAAC,cAAc,CAAC,iBAAiB,CAAC,MAAM,EAAE,MAAM,CAAC,CAAA;QACvD,CAAC;QAAC,OAAO,GAAG,EAAE,CAAC;YACb,MAAM,mBAAmB,CAAC,IAAI,CAAC,GAAG,EAAE,8BAA8B,CAAC,CAAA;QACrE,CAAC;QAED,OAAO,MAAM,CAAA;IACf,CAAC;IAES,KAAK,CAAC,iBAAiB,CAC/B,KAAkB,EAClB,SAAmB,EACnB,eAAgC;QAEhC,IAAI,CAAC,IAAI,CAAC,kBAAkB,EAAE,CAAC;YAC7B,OAAO,SAAS,CAAA;QAClB,CAAC;QAED,IAAI,CAAC,KAAK,CAAC,UAAU,EAAE,CAAC;YACtB,MAAM,IAAI,mBAAmB,CAAC,yBAAyB,CAAC,CAAA;QAC1D,CAAC;QAED,OAAO,KAAK,CAAC,UAAU,CAAA;IACzB,CAAC;IAES,KAAK,CAAC,eAAe,CAC7B,KAAkB,EAClB,QAAkB,EAClB,cAA+B;QAE/B,MAAM,CAAC,cAAc,EAAE,UAAU,CAAC,GAAG,MAAM,OAAO,CAAC,GAAG,CAAC;YACrD,IAAI,CAAC,oBAAoB,CAAC,KAAK,EAAE,QAAQ,EAAE,cAAc,CAAC;YAC1D,IAAI,CAAC,iBAAiB,CAAC,KAAK,EAAE,QAAQ,EAAE,cAAc,CAAC;SACxD,CAAC,CAAA;QAEF,OAAO,EAAE,GAAG,KAAK,EAAE,cAAc,EAAE,UAAU,EAAE,CAAA;IACjD,CAAC;IAEM,KAAK,CAAC,aAAa,CACxB,QAAkB,EAClB,cAA+B,EAC/B,KAAkB;QAElB,OAAO,YAAY,CAAC,4BAA4B,EAAE,KAAK,IAAI,EAAE;YAC3D,MAAM,IAAI,CAAC,KAAK,CAAC,eAAe,EAAE,IAAI,CAAC,IAAI,EAAE;gBAC3C,KAAK;gBACL,QAAQ;gBACR,cAAc;aACf,CAAC,CAAA;YAEF,MAAM,IAAI,GAAG,MAAM,IAAI,CAAC,eAAe,CAAC,KAAK,EAAE,QAAQ,EAAE,cAAc,CAAC,CAAA;YAExE,MAAM,OAAO,GAAG,MAAM,SAAS,CAAC,GAAG,EAAE,CACnC,IAAI,CAAC,KAAK,CAAC,aAAa,CAAC,IAAI,CAAC,CAC/B,CAAC,KAAK,CAAC,CAAC,GAAG,EAAE,EAAE;gBACd,MAAM,mBAAmB,CAAC,IAAI,CAAC,GAAG,EAAE,yBAAyB,CAAC,CAAA;YAChE,CAAC,CAAC,CAAA;YAEF,IAAI,CAAC;gBACH,MAAM,IAAI,CAAC,KAAK,CAAC,UAAU,EAAE,IAAI,CAAC,IAAI,EAAE;oBACtC,IAAI;oBACJ,OAAO;oBACP,QAAQ;oBACR,cAAc;iBACf,CAAC,CAAA;gBAEF,OAAO,OAAO,CAAA;YAChB,CAAC;YAAC,OAAO,GAAG,EAAE,CAAC;gBACb,MAAM,IAAI,CAAC,mBAAmB,CAAC,QAAQ,EAAE,OAAO,CAAC,GAAG,CAAC,CAAA;gBAErD,MAAM,mBAAmB,CAAC,IAAI,CAC5B,GAAG,EACH,gFAAgF,CACjF,CAAA;YACH,CAAC;QACH,CAAC,CAAC,CAAA;IACJ,CAAC;IAEM,KAAK,CAAC,mBAAmB,CAC9B,QAAkB,EAClB,cAA+B,EAC/B,IAAgB,EAChB,QAAmB;QAEnB,OAAO,YAAY,CAAC,8BAA8B,EAAE,KAAK,IAAI,EAAE;YAC7D,MAAM,IAAI,CAAC,KAAK,CAAC,eAAe,EAAE,IAAI,CAAC,IAAI,EAAE;gBAC3C,IAAI;gBACJ,QAAQ;gBACR,cAAc;gBACd,QAAQ;aACT,CAAC,CAAA;YAEF,MAAM,OAAO,GAAG,MAAM,SAAS,CAAC,GAAG,EAAE,CACnC,IAAI,CAAC,KAAK,CAAC,mBAAmB,CAAC,IAAI,CAAC,CACrC,CAAC,KAAK,CAAC,KAAK,EAAE,GAAG,EAAE,EAAE;gBACpB,sEAAsE;gBACtE,uEAAuE;gBACvE,iEAAiE;gBACjE,yCAAyC;gBACzC,IAAI,GAAG,YAAY,mBAAmB,EAAE,CAAC;oBACvC,gEAAgE;oBAChE,2DAA2D;oBAC3D,gEAAgE;oBAChE,4DAA4D;oBAC5D,0BAA0B;oBAC1B,MAAM,kBAAkB,GAAG,GAAG,YAAY,uBAAuB,CAAA;oBACjE,MAAM,GAAG,GAAG,kBAAkB,CAAC,CAAC,CAAC,GAAG,CAAC,GAAG,IAAI,IAAI,CAAC,CAAC,CAAC,IAAI,CAAA;oBAEvD,kEAAkE;oBAClE,wDAAwD;oBACxD,IAAI,CAAC;wBACH,MAAM,IAAI,CAAC,KAAK,CAAC,cAAc,EAAE,IAAI,CAAC,IAAI,EAAE;4BAC1C,IAAI;4BACJ,KAAK,EAAE,GAAG;4BACV,GAAG;4BACH,QAAQ;4BACR,cAAc;4BACd,QAAQ;yBACT,CAAC,CAAA;oBACJ,CAAC;oBAAC,MAAM,CAAC;wBACP,OAAO;oBACT,CAAC;oBAED,IAAI,kBAAkB,EAAE,CAAC;wBACvB,uDAAuD;wBACvD,MAAM,IAAI,mBAAmB,CAAC,GAAG,CAAC,iBAAiB,CAAC,CAAA;oBACtD,CAAC;gBACH,CAAC;gBAED,MAAM,GAAG,CAAA;YACX,CAAC,CAAC,CAAA;YAEF,MAAM,IAAI,CAAC,KAAK,CAAC,UAAU,EAAE,IAAI,CAAC,IAAI,EAAE;gBACtC,IAAI;gBACJ,OAAO;gBACP,QAAQ;gBACR,cAAc;gBACd,QAAQ;aACT,CAAC,CAAA;YAEF,OAAO,OAAO,CAAA;QAChB,CAAC,CAAC,CAAC,KAAK,CAAC,CAAC,GAAG,EAAE,EAAE;YACf,MAAM,mBAAmB,CAAC,IAAI,CAC5B,GAAG,EACH,qDAAqD,CACtD,CAAA;QACH,CAAC,CAAC,CAAA;IACJ,CAAC;IAEM,KAAK,CAAC,mBAAmB,CAC9B,QAAkB,EAClB,GAAQ;QAER,MAAM,IAAI,CAAC,KAAK,CAAC,mBAAmB,CAAC,QAAQ,EAAE,GAAG,CAAC,CAAA;IACrD,CAAC;IAEM,KAAK,CAAC,gBAAgB,CAC3B,QAAkB,EAClB,GAAQ;QAER,MAAM,aAAa,GAAG,MAAM,IAAI,CAAC,KAAK,CAAC,gBAAgB,CAAC,QAAQ,EAAE,GAAG,CAAC,CAAA;QACtE,IAAI,CAAC,aAAa;YAAE,MAAM,IAAI,mBAAmB,CAAC,mBAAmB,CAAC,CAAA;QAEtE,OAAO,aAAa,CAAA;IACtB,CAAC;IAEM,KAAK,CAAC,mBAAmB,CAC9B,OAAgB,EAChB,MAAc,EACd,IAA0B;QAE1B,+DAA+D;QAC/D,IAAI,uBAAuB,CAAC,MAAM,CAAC,EAAE,CAAC;YAAE,OAAM;QAE9C,MAAM,IAAI,CAAC,KAAK,CAAC,mBAAmB,CAAC,OAAO,CAAC,GAAG,EAAE,MAAM,CAAC,EAAE,EAAE,IAAI,CAAC,CAAA;IACpE,CAAC;IAEM,KAAK,CAAC,UAAU,CAAC,GAAQ;QAC9B,OAAO,IAAI,CAAC,KAAK,CAAC,UAAU,CAAC,GAAG,CAAC,CAAA;IACnC,CAAC;IAEM,KAAK,CAAC,mBAAmB,CAAC,QAAkB,EAAE,GAAQ;QAC3D,OAAO,IAAI,CAAC,KAAK,CAAC,mBAAmB,CAAC,QAAQ,EAAE,GAAG,CAAC,CAAA;IACtD,CAAC;IAEM,KAAK,CAAC,kBAAkB,CAC7B,QAAkB;QAElB,MAAM,cAAc,GAAG,MAAM,IAAI,CAAC,KAAK,CAAC,kBAAkB,CAAC;YACzD,QAAQ;SACT,CAAC,CAAA;QAEF,OAAO,cAAc,CAAC,aAAa;aAChC,MAAM,CAAC,CAAC,aAAa,EAAE,EAAE,CAAC,aAAa,CAAC,QAAQ,KAAK,QAAQ,CAAC,CAAA;IACnE,CAAC;IAEM,KAAK,CAAC,kBAAkB,CAAC,GAAQ;QACtC,MAAM,cAAc,GAAG,MAAM,IAAI,CAAC,KAAK,CAAC,kBAAkB,CAAC;YACzD,GAAG;SACJ,CAAC,CAAA;QAEF,OAAO,cAAc,CAAC,aAAa;aAChC,MAAM,CAAC,CAAC,aAAa,EAAE,EAAE,CAAC,aAAa,CAAC,OAAO,CAAC,GAAG,KAAK,GAAG,CAAC,CAAA;IACjE,CAAC;IAEM,KAAK,CAAC,oBAAoB,CAC/B,QAAkB,EAClB,cAA+B,EAC/B,KAAgC;QAEhC,OAAO,YAAY,CAAC,8BAA8B,EAAE,KAAK,IAAI,EAAE;YAC7D,MAAM,IAAI,CAAC,KAAK,CAAC,sBAAsB,EAAE,IAAI,CAAC,IAAI,EAAE;gBAClD,KAAK;gBACL,QAAQ;gBACR,cAAc;aACf,CAAC,CAAA;YAEF,MAAM,OAAO,GAAG,MAAM,IAAI,CAAC,KAAK,CAAC,oBAAoB,CAAC,KAAK,CAAC,CAAA;YAE5D,uDAAuD;YAEvD,MAAM,IAAI,CAAC,KAAK,CAAC,wBAAwB,EAAE,IAAI,CAAC,IAAI,EAAE;gBACpD,KAAK;gBACL,QAAQ;gBACR,cAAc;gBACd,OAAO;aACR,CAAC,CAAA;QACJ,CAAC,CAAC,CAAA;IACJ,CAAC;IAEM,KAAK,CAAC,oBAAoB,CAC/B,QAAkB,EAClB,cAA+B,EAC/B,KAAgC;QAEhC,OAAO,YAAY,CAAC,8BAA8B,EAAE,KAAK,IAAI,EAAE;YAC7D,MAAM,IAAI,CAAC,KAAK,CAAC,sBAAsB,EAAE,IAAI,CAAC,IAAI,EAAE;gBAClD,KAAK;gBACL,QAAQ;gBACR,cAAc;aACf,CAAC,CAAA;YAEF,MAAM,OAAO,GAAG,MAAM,IAAI,CAAC,KAAK,CAAC,oBAAoB,CAAC,KAAK,CAAC,CAAA;YAE5D,IAAI,CAAC,OAAO,EAAE,CAAC;gBACb,MAAM,IAAI,mBAAmB,CAAC,eAAe,CAAC,CAAA;YAChD,CAAC;YAED,MAAM,IAAI,CAAC,KAAK,CAAC,wBAAwB,EAAE,IAAI,CAAC,IAAI,EAAE;gBACpD,KAAK;gBACL,QAAQ;gBACR,cAAc;gBACd,OAAO;aACR,CAAC,CAAA;YAEF,OAAO,OAAO,CAAA;QAChB,CAAC,CAAC,CAAA;IACJ,CAAC;IAEM,KAAK,CAAC,wBAAwB,CAAC,MAAc;QAClD,OAAO,YAAY,CAAC,8BAA8B,EAAE,KAAK,IAAI,EAAE;YAC7D,OAAO,IAAI,CAAC,KAAK,CAAC,wBAAwB,CAAC,MAAM,CAAC,CAAA;QACpD,CAAC,CAAC,CAAA;IACJ,CAAC;IAEM,KAAK,CAAC,kBAAkB,CAC7B,QAAkB,EAClB,cAA+B,EAC/B,KAA8B,EAC9B,OAAgB;QAEhB,MAAM,IAAI,CAAC,KAAK,CAAC,oBAAoB,EAAE,IAAI,CAAC,IAAI,EAAE;YAChD,QAAQ;YACR,cAAc;YACd,KAAK;YACL,OAAO;SACR,CAAC,CAAA;QAEF,MAAM,EAAE,aAAa,EAAE,GAAG,MAAM,IAAI,CAAC,KAAK,CAAC,kBAAkB,CAAC,KAAK,CAAC,CAAA;QAEpE,MAAM,IAAI,CAAC,KAAK,CAAC,sBAAsB,EAAE,IAAI,CAAC,IAAI,EAAE;YAClD,QAAQ;YACR,cAAc;YACd,KAAK;YACL,OAAO;SACR,CAAC,CAAA;QAEF,OAAO,EAAE,aAAa,EAAE,aAAa,KAAK,IAAI,EAAE,CAAA;IAClD,CAAC;IAEM,KAAK,CAAC,kBAAkB,CAC7B,QAAkB,EAClB,cAA+B,EAC/B,KAA8B,EAC9B,OAAgB;QAEhB,MAAM,IAAI,CAAC,KAAK,CAAC,oBAAoB,EAAE,IAAI,CAAC,IAAI,EAAE;YAChD,QAAQ;YACR,cAAc;YACd,KAAK;YACL,OAAO;SACR,CAAC,CAAA;QAEF,MAAM,cAAc,GAAG,MAAM,IAAI,CAAC,KAAK,CAAC,kBAAkB,CAAC,KAAK,CAAC,CAAA;QAEjE,IAAI,CAAC,cAAc,EAAE,CAAC;YACpB,MAAM,IAAI,mBAAmB,CAAC,eAAe,CAAC,CAAA;QAChD,CAAC;QAED,MAAM,IAAI,CAAC,KAAK,CAAC,sBAAsB,EAAE,IAAI,CAAC,IAAI,EAAE;YAClD,QAAQ;YACR,cAAc;YACd,KAAK;YACL,OAAO,EAAE,cAAc;SACxB,CAAC,CAAA;QAEF,OAAO,cAAc,CAAA;IACvB,CAAC;IAEM,KAAK,CAAC,kBAAkB,CAC7B,QAAkB,EAClB,cAA+B,EAC/B,KAA8B,EAC9B,OAAgB;QAEhB,MAAM,IAAI,CAAC,KAAK,CAAC,oBAAoB,EAAE,IAAI,CAAC,IAAI,EAAE;YAChD,QAAQ;YACR,cAAc;YACd,OAAO;YACP,KAAK;SACN,CAAC,CAAA;QAEF,MAAM,IAAI,CAAC,KAAK,CAAC,kBAAkB,CAAC,KAAK,CAAC,CAAA;QAE1C,MAAM,IAAI,CAAC,KAAK,CAAC,sBAAsB,EAAE,IAAI,CAAC,IAAI,EAAE;YAClD,QAAQ;YACR,cAAc;YACd,OAAO;YACP,KAAK;SACN,CAAC,CAAA;IACJ,CAAC;IAEM,KAAK,CAAC,kBAAkB,CAC7B,QAAkB,EAClB,cAA+B,EAC/B,KAA8B,EAC9B,OAAgB;QAEhB,MAAM,IAAI,CAAC,KAAK,CAAC,oBAAoB,EAAE,IAAI,CAAC,IAAI,EAAE;YAChD,QAAQ;YACR,cAAc;YACd,OAAO;YACP,KAAK;SACN,CAAC,CAAA;QAEF,MAAM,cAAc,GAAG,MAAM,IAAI,CAAC,KAAK,CAAC,kBAAkB,CAAC,KAAK,CAAC,CAAA;QAEjE,IAAI,CAAC,cAAc,EAAE,CAAC;YACpB,MAAM,IAAI,mBAAmB,CAAC,eAAe,CAAC,CAAA;QAChD,CAAC;QAED,MAAM,IAAI,CAAC,KAAK,CAAC,sBAAsB,EAAE,IAAI,CAAC,IAAI,EAAE;YAClD,QAAQ;YACR,cAAc;YACd,OAAO,EAAE,cAAc;YACvB,KAAK;SACN,CAAC,CAAA;QAEF,OAAO,cAAc,CAAA;IACvB,CAAC;IAEM,KAAK,CAAC,YAAY,CACvB,QAAkB,EAClB,cAA+B,EAC/B,KAAuB,EACvB,OAAgB;QAEhB,MAAM,IAAI,CAAC,KAAK,CAAC,cAAc,EAAE,IAAI,CAAC,IAAI,EAAE;YAC1C,QAAQ;YACR,cAAc;YACd,KAAK;YACL,OAAO;SACR,CAAC,CAAA;QAEF,MAAM,cAAc,GAAG,MAAM,IAAI,CAAC,KAAK,CAAC,YAAY,CAAC,KAAK,CAAC,CAAA;QAE3D,MAAM,IAAI,CAAC,KAAK,CAAC,eAAe,EAAE,IAAI,CAAC,IAAI,EAAE;YAC3C,QAAQ;YACR,cAAc;YACd,KAAK;YACL,OAAO,EAAE,cAAc;SACxB,CAAC,CAAA;QAEF,OAAO,cAAc,CAAA;IACvB,CAAC;IAEM,KAAK,CAAC,iBAAiB,CAC5B,QAAkB,EAClB,cAA+B,EAC/B,OAAgB;QAEhB,MAAM,IAAI,CAAC,KAAK,CAAC,mBAAmB,EAAE,IAAI,CAAC,IAAI,EAAE;YAC/C,QAAQ;YACR,cAAc;YACd,OAAO;SACR,CAAC,CAAA;QAEF,MAAM,cAAc,GAAG,MAAM,SAAS,CAAC,GAAG,EAAE,CAC1C,IAAI,CAAC,KAAK,CAAC,iBAAiB,CAAC,EAAE,GAAG,EAAE,OAAO,CAAC,GAAG,EAAE,CAAC,CACnD,CAAC,KAAK,CAAC,CAAC,GAAG,EAAE,EAAE;YACd,MAAM,mBAAmB,CAAC,IAAI,CAAC,GAAG,EAAE,6BAA6B,CAAC,CAAA;QACpE,CAAC,CAAC,CAAA;QAEF,MAAM,IAAI,CAAC,KAAK,CAAC,oBAAoB,EAAE,IAAI,CAAC,IAAI,EAAE;YAChD,QAAQ;YACR,cAAc;YACd,OAAO,EAAE,cAAc;SACxB,CAAC,CAAA;QAEF,OAAO,cAAc,CAAA;IACvB,CAAC;IAEM,KAAK,CAAC,iBAAiB,CAC5B,QAAkB,EAClB,cAA+B,EAC/B,OAAgB;QAEhB,MAAM,IAAI,CAAC,KAAK,CAAC,mBAAmB,EAAE,IAAI,CAAC,IAAI,EAAE;YAC/C,QAAQ;YACR,cAAc;YACd,OAAO;SACR,CAAC,CAAA;QAEF,MAAM,cAAc,GAAG,MAAM,SAAS,CAAC,GAAG,EAAE,CAC1C,IAAI,CAAC,KAAK,CAAC,iBAAiB,CAAC,EAAE,GAAG,EAAE,OAAO,CAAC,GAAG,EAAE,CAAC,CACnD,CAAC,KAAK,CAAC,CAAC,GAAG,EAAE,EAAE;YACd,MAAM,mBAAmB,CAAC,IAAI,CAAC,GAAG,EAAE,6BAA6B,CAAC,CAAA;QACpE,CAAC,CAAC,CAAA;QAEF,MAAM,IAAI,CAAC,KAAK,CAAC,oBAAoB,EAAE,IAAI,CAAC,IAAI,EAAE;YAChD,QAAQ;YACR,cAAc;YACd,OAAO,EAAE,cAAc;SACxB,CAAC,CAAA;QAEF,OAAO,cAAc,CAAA;IACvB,CAAC;IAEM,KAAK,CAAC,oBAAoB,CAC/B,QAAkB,EAClB,cAA+B,EAC/B,KAAgC,EAChC,OAAgB;QAEhB,MAAM,IAAI,CAAC,KAAK,CAAC,sBAAsB,EAAE,IAAI,CAAC,IAAI,EAAE;YAClD,QAAQ;YACR,cAAc;YACd,OAAO;SACR,CAAC,CAAA;QAEF,MAAM,IAAI,CAAC,KAAK,CAAC,oBAAoB,CAAC,KAAK,CAAC,CAAA;QAE5C,MAAM,IAAI,CAAC,KAAK,CAAC,wBAAwB,EAAE,IAAI,CAAC,IAAI,EAAE;YACpD,QAAQ;YACR,cAAc;YACd,OAAO;SACR,CAAC,CAAA;IACJ,CAAC;IAEM,KAAK,CAAC,oBAAoB,CAC/B,QAAkB,EAClB,cAA+B,EAC/B,KAAgC,EAChC,OAAgB;QAEhB,OAAO,YAAY,CAAC,4BAA4B,EAAE,KAAK,IAAI,EAAE;YAC3D,MAAM,IAAI,CAAC,KAAK,CAAC,sBAAsB,EAAE,IAAI,CAAC,IAAI,EAAE;gBAClD,QAAQ;gBACR,cAAc;gBACd,OAAO;aACR,CAAC,CAAA;YAEF,MAAM,SAAS,CAAC,GAAG,EAAE,CAAC,IAAI,CAAC,KAAK,CAAC,oBAAoB,CAAC,KAAK,CAAC,CAAC,CAAC,KAAK,CACjE,CAAC,GAAG,EAAE,EAAE;gBACN,MAAM,mBAAmB,CAAC,IAAI,CAAC,GAAG,EAAE,yBAAyB,CAAC,CAAA;YAChE,CAAC,CACF,CAAA;YAED,MAAM,IAAI,CAAC,KAAK,CAAC,wBAAwB,EAAE,IAAI,CAAC,IAAI,EAAE;gBACpD,QAAQ;gBACR,cAAc;gBACd,OAAO;gBACP,KAAK;aACN,CAAC,CAAA;QACJ,CAAC,CAAC,CAAA;IACJ,CAAC;CACF","sourcesContent":["import { Did } from '@atproto/did'\nimport {\n OAuthIssuerIdentifier,\n isOAuthClientIdLoopback,\n} from '@atproto/oauth-types'\nimport { ClientId } from '../client/client-id.js'\nimport { Client } from '../client/client.js'\nimport { DeviceId } from '../device/device-id.js'\nimport { InvalidCredentialsError } from '../errors/invalid-credentials-error.js'\nimport { InvalidRequestError } from '../errors/invalid-request-error.js'\nimport { HCaptchaClient, HcaptchaVerifyResult } from '../lib/hcaptcha.js'\nimport { callAsync } from '../lib/util/function.js'\nimport { constantTime } from '../lib/util/time.js'\nimport { OAuthHooks, RequestMetadata } from '../oauth-hooks.js'\nimport { Customization } from '../oauth-provider.js'\nimport {\n Account,\n AccountStore,\n AuthorizedClientData,\n DeleteAccountConfirmInput,\n DeleteAccountRequestInput,\n DeviceAccount,\n ResetPasswordConfirmInput,\n ResetPasswordRequestInput,\n SignUpData,\n UpdateEmailConfirmInput,\n UpdateEmailRequestInput,\n UpdateHandleData,\n VerifyEmailConfirmInput,\n VerifyEmailRequestInput,\n} from './account-store.js'\nimport { SignInData } from './sign-in-data.js'\nimport { SignUpInput } from './sign-up-input.js'\n\nconst TIMING_ATTACK_MITIGATION_DELAY = 400\nconst BRUTE_FORCE_MITIGATION_DELAY = 300\n\n// @TODO Add rate limit to all the OAuth routes.\n\nexport class AccountManager {\n protected readonly inviteCodeRequired: boolean\n protected readonly hcaptchaClient?: HCaptchaClient\n\n constructor(\n issuer: OAuthIssuerIdentifier,\n protected readonly store: AccountStore,\n protected readonly hooks: OAuthHooks,\n customization: Customization,\n ) {\n this.inviteCodeRequired = customization.inviteCodeRequired !== false\n this.hcaptchaClient = customization.hcaptcha\n ? new HCaptchaClient(new URL(issuer).hostname, customization.hcaptcha)\n : undefined\n }\n\n protected async processHcaptchaToken(\n input: SignUpInput,\n deviceId: DeviceId,\n deviceMetadata: RequestMetadata,\n ): Promise<HcaptchaVerifyResult | undefined> {\n if (!this.hcaptchaClient) {\n return undefined\n }\n\n if (!input.hcaptchaToken) {\n throw new InvalidRequestError('hCaptcha token is required')\n }\n\n const tokens = this.hcaptchaClient.buildClientTokens(\n deviceMetadata.ipAddress,\n input.handle,\n deviceMetadata.userAgent,\n )\n\n const result = await this.hcaptchaClient\n .verify('signup', input.hcaptchaToken, deviceMetadata.ipAddress, tokens)\n .catch((err) => {\n throw InvalidRequestError.from(err, 'hCaptcha verification failed')\n })\n\n await this.hooks.onHcaptchaResult?.call(null, {\n input,\n deviceId,\n deviceMetadata,\n tokens,\n result,\n })\n\n try {\n this.hcaptchaClient.checkVerifyResult(result, tokens)\n } catch (err) {\n throw InvalidRequestError.from(err, 'hCaptcha verification failed')\n }\n\n return result\n }\n\n protected async enforceInviteCode(\n input: SignUpInput,\n _deviceId: DeviceId,\n _deviceMetadata: RequestMetadata,\n ): Promise<string | undefined> {\n if (!this.inviteCodeRequired) {\n return undefined\n }\n\n if (!input.inviteCode) {\n throw new InvalidRequestError('Invite code is required')\n }\n\n return input.inviteCode\n }\n\n protected async buildSignupData(\n input: SignUpInput,\n deviceId: DeviceId,\n deviceMetadata: RequestMetadata,\n ): Promise<SignUpData> {\n const [hcaptchaResult, inviteCode] = await Promise.all([\n this.processHcaptchaToken(input, deviceId, deviceMetadata),\n this.enforceInviteCode(input, deviceId, deviceMetadata),\n ])\n\n return { ...input, hcaptchaResult, inviteCode }\n }\n\n public async createAccount(\n deviceId: DeviceId,\n deviceMetadata: RequestMetadata,\n input: SignUpInput,\n ): Promise<Account> {\n return constantTime(BRUTE_FORCE_MITIGATION_DELAY, async () => {\n await this.hooks.onSignUpAttempt?.call(null, {\n input,\n deviceId,\n deviceMetadata,\n })\n\n const data = await this.buildSignupData(input, deviceId, deviceMetadata)\n\n const account = await callAsync(() =>\n this.store.createAccount(data),\n ).catch((err) => {\n throw InvalidRequestError.from(err, 'Account creation failed')\n })\n\n try {\n await this.hooks.onSignedUp?.call(null, {\n data,\n account,\n deviceId,\n deviceMetadata,\n })\n\n return account\n } catch (err) {\n await this.removeDeviceAccount(deviceId, account.did)\n\n throw InvalidRequestError.from(\n err,\n 'The account was successfully created but something went wrong, try signing-in.',\n )\n }\n })\n }\n\n public async authenticateAccount(\n deviceId: DeviceId,\n deviceMetadata: RequestMetadata,\n data: SignInData,\n clientId?: ClientId,\n ): Promise<Account> {\n return constantTime(TIMING_ATTACK_MITIGATION_DELAY, async () => {\n await this.hooks.onSignInAttempt?.call(null, {\n data,\n deviceId,\n deviceMetadata,\n clientId,\n })\n\n const account = await callAsync(() =>\n this.store.authenticateAccount(data),\n ).catch(async (err) => {\n // Only notify for credential failures (e.g. unknown identifier, wrong\n // password). Server errors and flows that require an additional factor\n // (e.g. SecondAuthenticationFactorRequiredError) are not \"failed\n // sign-ins\" and do not trigger the hook.\n if (err instanceof InvalidRequestError) {\n // Stores that throw the more specific `InvalidCredentialsError`\n // can attach the matched subject identifier to distinguish\n // \"identifier known, password wrong\" from \"identifier unknown\".\n // This information is only exposed to the hook and is never\n // surfaced to the client.\n const isCredentialsError = err instanceof InvalidCredentialsError\n const did = isCredentialsError ? err.did ?? null : null\n\n // Swallow any error from the hook itself so that it does not mask\n // the underlying authentication failure being reported.\n try {\n await this.hooks.onSignInFailed?.call(null, {\n data,\n error: err,\n did,\n deviceId,\n deviceMetadata,\n clientId,\n })\n } catch {\n // noop\n }\n\n if (isCredentialsError) {\n // Defensively downgrade to a plain InvalidRequestError\n throw new InvalidRequestError(err.error_description)\n }\n }\n\n throw err\n })\n\n await this.hooks.onSignedIn?.call(null, {\n data,\n account,\n deviceId,\n deviceMetadata,\n clientId,\n })\n\n return account\n }).catch((err) => {\n throw InvalidRequestError.from(\n err,\n 'Unable to sign-in due to an unexpected server error',\n )\n })\n }\n\n public async upsertDeviceAccount(\n deviceId: DeviceId,\n did: Did,\n ): Promise<void> {\n await this.store.upsertDeviceAccount(deviceId, did)\n }\n\n public async getDeviceAccount(\n deviceId: DeviceId,\n did: Did,\n ): Promise<DeviceAccount> {\n const deviceAccount = await this.store.getDeviceAccount(deviceId, did)\n if (!deviceAccount) throw new InvalidRequestError(`Account not found`)\n\n return deviceAccount\n }\n\n public async setAuthorizedClient(\n account: Account,\n client: Client,\n data: AuthorizedClientData,\n ): Promise<void> {\n // \"Loopback\" clients are not distinguishable from one another.\n if (isOAuthClientIdLoopback(client.id)) return\n\n await this.store.setAuthorizedClient(account.did, client.id, data)\n }\n\n public async getAccount(did: Did) {\n return this.store.getAccount(did)\n }\n\n public async removeDeviceAccount(deviceId: DeviceId, did: Did) {\n return this.store.removeDeviceAccount(deviceId, did)\n }\n\n public async listDeviceAccounts(\n deviceId: DeviceId,\n ): Promise<DeviceAccount[]> {\n const deviceAccounts = await this.store.listDeviceAccounts({\n deviceId,\n })\n\n return deviceAccounts // Fool proof\n .filter((deviceAccount) => deviceAccount.deviceId === deviceId)\n }\n\n public async listAccountDevices(did: Did): Promise<DeviceAccount[]> {\n const deviceAccounts = await this.store.listDeviceAccounts({\n did,\n })\n\n return deviceAccounts // Fool proof\n .filter((deviceAccount) => deviceAccount.account.did === did)\n }\n\n public async resetPasswordRequest(\n deviceId: DeviceId,\n deviceMetadata: RequestMetadata,\n input: ResetPasswordRequestInput,\n ) {\n return constantTime(TIMING_ATTACK_MITIGATION_DELAY, async () => {\n await this.hooks.onResetPasswordRequest?.call(null, {\n input,\n deviceId,\n deviceMetadata,\n })\n\n const account = await this.store.resetPasswordRequest(input)\n\n // @NOTE Do not throw here, to prevent user enumeration\n\n await this.hooks.onResetPasswordRequested?.call(null, {\n input,\n deviceId,\n deviceMetadata,\n account,\n })\n })\n }\n\n public async resetPasswordConfirm(\n deviceId: DeviceId,\n deviceMetadata: RequestMetadata,\n input: ResetPasswordConfirmInput,\n ) {\n return constantTime(TIMING_ATTACK_MITIGATION_DELAY, async () => {\n await this.hooks.onResetPasswordConfirm?.call(null, {\n input,\n deviceId,\n deviceMetadata,\n })\n\n const account = await this.store.resetPasswordConfirm(input)\n\n if (!account) {\n throw new InvalidRequestError('Invalid token')\n }\n\n await this.hooks.onResetPasswordConfirmed?.call(null, {\n input,\n deviceId,\n deviceMetadata,\n account,\n })\n\n return account\n })\n }\n\n public async verifyHandleAvailability(handle: string): Promise<void> {\n return constantTime(TIMING_ATTACK_MITIGATION_DELAY, async () => {\n return this.store.verifyHandleAvailability(handle)\n })\n }\n\n public async updateEmailRequest(\n deviceId: DeviceId,\n deviceMetadata: RequestMetadata,\n input: UpdateEmailRequestInput,\n account: Account,\n ): Promise<{ tokenRequired: boolean }> {\n await this.hooks.onChangeEmailRequest?.call(null, {\n deviceId,\n deviceMetadata,\n input,\n account,\n })\n\n const { tokenRequired } = await this.store.updateEmailRequest(input)\n\n await this.hooks.onChangeEmailRequested?.call(null, {\n deviceId,\n deviceMetadata,\n input,\n account,\n })\n\n return { tokenRequired: tokenRequired === true }\n }\n\n public async updateEmailConfirm(\n deviceId: DeviceId,\n deviceMetadata: RequestMetadata,\n input: UpdateEmailConfirmInput,\n account: Account,\n ): Promise<Account> {\n await this.hooks.onUpdateEmailConfirm?.call(null, {\n deviceId,\n deviceMetadata,\n input,\n account,\n })\n\n const updatedAccount = await this.store.updateEmailConfirm(input)\n\n if (!updatedAccount) {\n throw new InvalidRequestError('Invalid token')\n }\n\n await this.hooks.onUpdateEmailConfirmed?.call(null, {\n deviceId,\n deviceMetadata,\n input,\n account: updatedAccount,\n })\n\n return updatedAccount\n }\n\n public async verifyEmailRequest(\n deviceId: DeviceId,\n deviceMetadata: RequestMetadata,\n input: VerifyEmailRequestInput,\n account: Account,\n ): Promise<void> {\n await this.hooks.onVerifyEmailRequest?.call(null, {\n deviceId,\n deviceMetadata,\n account,\n input,\n })\n\n await this.store.verifyEmailRequest(input)\n\n await this.hooks.onVerifyEmailRequested?.call(null, {\n deviceId,\n deviceMetadata,\n account,\n input,\n })\n }\n\n public async verifyEmailConfirm(\n deviceId: DeviceId,\n deviceMetadata: RequestMetadata,\n input: VerifyEmailConfirmInput,\n account: Account,\n ): Promise<Account> {\n await this.hooks.onVerifyEmailConfirm?.call(null, {\n deviceId,\n deviceMetadata,\n account,\n input,\n })\n\n const updatedAccount = await this.store.verifyEmailConfirm(input)\n\n if (!updatedAccount) {\n throw new InvalidRequestError('Invalid token')\n }\n\n await this.hooks.onVerifyEmailConfirmed?.call(null, {\n deviceId,\n deviceMetadata,\n account: updatedAccount,\n input,\n })\n\n return updatedAccount\n }\n\n public async updateHandle(\n deviceId: DeviceId,\n deviceMetadata: RequestMetadata,\n input: UpdateHandleData,\n account: Account,\n ): Promise<Account> {\n await this.hooks.onUpdateHandle?.call(null, {\n deviceId,\n deviceMetadata,\n input,\n account,\n })\n\n const updatedAccount = await this.store.updateHandle(input)\n\n await this.hooks.onUpdatedHandle?.call(null, {\n deviceId,\n deviceMetadata,\n input,\n account: updatedAccount,\n })\n\n return updatedAccount\n }\n\n public async deactivateAccount(\n deviceId: DeviceId,\n deviceMetadata: RequestMetadata,\n account: Account,\n ): Promise<Account> {\n await this.hooks.onDeactivateAccount?.call(null, {\n deviceId,\n deviceMetadata,\n account,\n })\n\n const updatedAccount = await callAsync(() =>\n this.store.deactivateAccount({ did: account.did }),\n ).catch((err) => {\n throw InvalidRequestError.from(err, 'Account deactivation failed')\n })\n\n await this.hooks.onDeactivatedAccount?.call(null, {\n deviceId,\n deviceMetadata,\n account: updatedAccount,\n })\n\n return updatedAccount\n }\n\n public async reactivateAccount(\n deviceId: DeviceId,\n deviceMetadata: RequestMetadata,\n account: Account,\n ): Promise<Account> {\n await this.hooks.onReactivateAccount?.call(null, {\n deviceId,\n deviceMetadata,\n account,\n })\n\n const updatedAccount = await callAsync(() =>\n this.store.reactivateAccount({ did: account.did }),\n ).catch((err) => {\n throw InvalidRequestError.from(err, 'Account reactivation failed')\n })\n\n await this.hooks.onReactivatedAccount?.call(null, {\n deviceId,\n deviceMetadata,\n account: updatedAccount,\n })\n\n return updatedAccount\n }\n\n public async deleteAccountRequest(\n deviceId: DeviceId,\n deviceMetadata: RequestMetadata,\n input: DeleteAccountRequestInput,\n account: Account,\n ): Promise<void> {\n await this.hooks.onDeleteAccountRequest?.call(null, {\n deviceId,\n deviceMetadata,\n account,\n })\n\n await this.store.deleteAccountRequest(input)\n\n await this.hooks.onDeleteAccountRequested?.call(null, {\n deviceId,\n deviceMetadata,\n account,\n })\n }\n\n public async deleteAccountConfirm(\n deviceId: DeviceId,\n deviceMetadata: RequestMetadata,\n input: DeleteAccountConfirmInput,\n account: Account,\n ): Promise<void> {\n return constantTime(BRUTE_FORCE_MITIGATION_DELAY, async () => {\n await this.hooks.onDeleteAccountConfirm?.call(null, {\n deviceId,\n deviceMetadata,\n account,\n })\n\n await callAsync(() => this.store.deleteAccountConfirm(input)).catch(\n (err) => {\n throw InvalidRequestError.from(err, 'Account deletion failed')\n },\n )\n\n await this.hooks.onDeleteAccountConfirmed?.call(null, {\n deviceId,\n deviceMetadata,\n account,\n input,\n })\n })\n }\n}\n"]}
|
|
@@ -1,4 +1,5 @@
|
|
|
1
|
-
import
|
|
1
|
+
import { Did } from '@atproto/did';
|
|
2
|
+
import type { Account, ConfirmAccountDeletionInput, ConfirmEmailUpdateInput, ConfirmEmailVerificationInput, ConfirmResetPasswordInput, DeactivateAccountInput, InitiateAccountDeletionInput, InitiateEmailUpdateInput, InitiateEmailUpdateOutput, InitiateEmailVerificationInput, InitiatePasswordResetInput, ReactivateAccountInput, UpdateHandleInput } from '@atproto/oauth-provider-api';
|
|
2
3
|
import { OAuthScope } from '@atproto/oauth-types';
|
|
3
4
|
import { ClientId } from '../client/client-id.js';
|
|
4
5
|
import { DeviceId } from '../device/device-id.js';
|
|
@@ -6,15 +7,13 @@ import { DeviceData } from '../device/device-store.js';
|
|
|
6
7
|
import { HcaptchaVerifyResult } from '../lib/hcaptcha.js';
|
|
7
8
|
import { Awaitable } from '../lib/util/type.js';
|
|
8
9
|
import { HandleUnavailableError, InvalidCredentialsError, InvalidRequestError, SecondAuthenticationFactorRequiredError } from '../oauth-errors.js';
|
|
9
|
-
import { Sub } from '../oidc/sub.js';
|
|
10
10
|
import { InviteCode } from '../types/invite-code.js';
|
|
11
11
|
import { SignUpInput } from './sign-up-input.js';
|
|
12
12
|
export * from '../client/client-id.js';
|
|
13
13
|
export * from '../device/device-data.js';
|
|
14
14
|
export * from '../device/device-id.js';
|
|
15
|
-
export * from '../oidc/sub.js';
|
|
16
15
|
export * from '../request/request-id.js';
|
|
17
|
-
export type { Account, HcaptchaVerifyResult, InviteCode, OAuthScope, SignUpInput, };
|
|
16
|
+
export type { Account, Did, HcaptchaVerifyResult, InviteCode, OAuthScope, SignUpInput, };
|
|
18
17
|
export { HandleUnavailableError, InvalidCredentialsError, InvalidRequestError, SecondAuthenticationFactorRequiredError, };
|
|
19
18
|
export type ResetPasswordRequestInput = InitiatePasswordResetInput;
|
|
20
19
|
export type ResetPasswordConfirmInput = ConfirmResetPasswordInput;
|
|
@@ -24,6 +23,10 @@ export type UpdateEmailConfirmInput = ConfirmEmailUpdateInput;
|
|
|
24
23
|
export type VerifyEmailRequestInput = InitiateEmailVerificationInput;
|
|
25
24
|
export type VerifyEmailConfirmInput = ConfirmEmailVerificationInput;
|
|
26
25
|
export type UpdateHandleData = UpdateHandleInput;
|
|
26
|
+
export type DeactivateAccountData = DeactivateAccountInput;
|
|
27
|
+
export type ReactivateAccountData = ReactivateAccountInput;
|
|
28
|
+
export type DeleteAccountRequestInput = InitiateAccountDeletionInput;
|
|
29
|
+
export type DeleteAccountConfirmInput = ConfirmAccountDeletionInput;
|
|
27
30
|
export type CreateAccountData = {
|
|
28
31
|
locale: string;
|
|
29
32
|
email: string;
|
|
@@ -81,7 +84,7 @@ export interface AccountStore {
|
|
|
81
84
|
createAccount(data: CreateAccountData): Awaitable<Account>;
|
|
82
85
|
/**
|
|
83
86
|
* @throws {InvalidCredentialsError} - When the credentials are not valid.
|
|
84
|
-
* Populate {@link InvalidCredentialsError.
|
|
87
|
+
* Populate {@link InvalidCredentialsError.did} with the subject identifier
|
|
85
88
|
* when the identifier matched an existing account (e.g. wrong password for
|
|
86
89
|
* a known user); omit it when the identifier was not found. Throwing the
|
|
87
90
|
* generic {@link InvalidRequestError} is also accepted for backward
|
|
@@ -93,11 +96,11 @@ export interface AccountStore {
|
|
|
93
96
|
/**
|
|
94
97
|
* Add a client & scopes to the list of authorized clients for the given account.
|
|
95
98
|
*/
|
|
96
|
-
setAuthorizedClient(
|
|
99
|
+
setAuthorizedClient(did: Did, clientId: ClientId, data: AuthorizedClientData): Awaitable<void>;
|
|
97
100
|
/**
|
|
98
101
|
* @throws {InvalidRequestError} - When the credentials are not valid
|
|
99
102
|
*/
|
|
100
|
-
getAccount(
|
|
103
|
+
getAccount(did: Did): Awaitable<{
|
|
101
104
|
account: Account;
|
|
102
105
|
authorizedClients: AuthorizedClients;
|
|
103
106
|
}>;
|
|
@@ -112,7 +115,7 @@ export interface AccountStore {
|
|
|
112
115
|
* {@link RequestStore.deleteRequest}), all accounts bound to that request
|
|
113
116
|
* should be deleted as well.
|
|
114
117
|
*/
|
|
115
|
-
upsertDeviceAccount(deviceId: DeviceId,
|
|
118
|
+
upsertDeviceAccount(deviceId: DeviceId, did: Did): Awaitable<void>;
|
|
116
119
|
/**
|
|
117
120
|
* @param requestId - If provided, the result must either have the same
|
|
118
121
|
* requestId, or not be bound to a particular requestId. If `null`, the
|
|
@@ -120,20 +123,20 @@ export interface AccountStore {
|
|
|
120
123
|
* @throws {InvalidRequestError} - Instead of returning `null` in order to
|
|
121
124
|
* provide a custom error message
|
|
122
125
|
*/
|
|
123
|
-
getDeviceAccount(deviceId: DeviceId,
|
|
126
|
+
getDeviceAccount(deviceId: DeviceId, did: Did): Awaitable<DeviceAccount | null>;
|
|
124
127
|
/**
|
|
125
128
|
* Removes *all* the unbound device-accounts associated with the given device
|
|
126
129
|
* & account.
|
|
127
130
|
*
|
|
128
131
|
* @note Noop if the device-account is not found.
|
|
129
132
|
*/
|
|
130
|
-
removeDeviceAccount(deviceId: DeviceId,
|
|
133
|
+
removeDeviceAccount(deviceId: DeviceId, did: Did): Awaitable<void>;
|
|
131
134
|
/**
|
|
132
135
|
* @returns **all** the device accounts that match the {@link requestId}
|
|
133
136
|
* criteria and given {@link filter}.
|
|
134
137
|
*/
|
|
135
138
|
listDeviceAccounts(filter: {
|
|
136
|
-
|
|
139
|
+
did: Did;
|
|
137
140
|
} | {
|
|
138
141
|
deviceId: DeviceId;
|
|
139
142
|
}): Awaitable<DeviceAccount[]>;
|
|
@@ -143,8 +146,8 @@ export interface AccountStore {
|
|
|
143
146
|
/**
|
|
144
147
|
* Must trigger a verification email to be sent to the new email address, that
|
|
145
148
|
* will then be confirmed through {@link updateEmailConfirm}. The account's
|
|
146
|
-
*
|
|
147
|
-
* confirmed.
|
|
149
|
+
* {@link Account['emailVerified'] emailVerified} field is expected to become
|
|
150
|
+
* `false` until the new email is confirmed.
|
|
148
151
|
*/
|
|
149
152
|
updateEmailConfirm(data: UpdateEmailConfirmInput): Awaitable<Account | null>;
|
|
150
153
|
verifyEmailRequest(data: VerifyEmailRequestInput): Awaitable<void>;
|
|
@@ -159,6 +162,37 @@ export interface AccountStore {
|
|
|
159
162
|
* cannot be used
|
|
160
163
|
*/
|
|
161
164
|
updateHandle(data: UpdateHandleData): Awaitable<Account>;
|
|
165
|
+
/**
|
|
166
|
+
* Mark the account as deactivated. The account remains recoverable. Should
|
|
167
|
+
* be a no-op when the account is already deactivated.
|
|
168
|
+
*
|
|
169
|
+
* @throws {InvalidRequestError} - When the account cannot be deactivated
|
|
170
|
+
* (e.g. unknown account)
|
|
171
|
+
*/
|
|
172
|
+
deactivateAccount(data: DeactivateAccountData): Awaitable<Account>;
|
|
173
|
+
/**
|
|
174
|
+
* Reactivate a previously-deactivated account. Should be a no-op when the
|
|
175
|
+
* account is already active.
|
|
176
|
+
*
|
|
177
|
+
* @throws {InvalidRequestError} - When the account cannot be reactivated
|
|
178
|
+
* (e.g. unknown account)
|
|
179
|
+
*/
|
|
180
|
+
reactivateAccount(data: ReactivateAccountData): Awaitable<Account>;
|
|
181
|
+
/**
|
|
182
|
+
* Initiate account deletion: typically sends a confirmation token to the
|
|
183
|
+
* account's email address. The account is NOT deleted until
|
|
184
|
+
* {@link deleteAccountConfirm} is called with the matching token and the
|
|
185
|
+
* user's current password.
|
|
186
|
+
*/
|
|
187
|
+
deleteAccountRequest(data: DeleteAccountRequestInput): Awaitable<void>;
|
|
188
|
+
/**
|
|
189
|
+
* Finalize account deletion. Implementations MUST verify both the email
|
|
190
|
+
* confirmation `token` issued by {@link deleteAccountRequest} and the user's
|
|
191
|
+
* current `password` before deleting any data. Deletion is irreversible.
|
|
192
|
+
*
|
|
193
|
+
* @throws {InvalidRequestError} - When the token or password is invalid.
|
|
194
|
+
*/
|
|
195
|
+
deleteAccountConfirm(data: DeleteAccountConfirmInput): Awaitable<void>;
|
|
162
196
|
}
|
|
163
197
|
export declare const isAccountStore: <V extends Partial<AccountStore>>(value: V) => value is V & import("../lib/util/type.js").RequiredDefined<AccountStore>;
|
|
164
198
|
export declare function asAccountStore<V>(implementation: V): V & AccountStore;
|
|
@@ -1 +1 @@
|
|
|
1
|
-
{"version":3,"file":"account-store.d.ts","sourceRoot":"","sources":["../../src/account/account-store.ts"],"names":[],"mappings":"AAAA,OAAO,KAAK,EACV,OAAO,EACP,uBAAuB,EACvB,6BAA6B,EAC7B,yBAAyB,EACzB,wBAAwB,EACxB,yBAAyB,EACzB,8BAA8B,EAC9B,0BAA0B,EAC1B,iBAAiB,EAClB,MAAM,6BAA6B,CAAA;AACpC,OAAO,EAAE,UAAU,EAAE,MAAM,sBAAsB,CAAA;AACjD,OAAO,EAAE,QAAQ,EAAE,MAAM,wBAAwB,CAAA;AACjD,OAAO,EAAE,QAAQ,EAAE,MAAM,wBAAwB,CAAA;AACjD,OAAO,EAAE,UAAU,EAAE,MAAM,2BAA2B,CAAA;AACtD,OAAO,EAAE,oBAAoB,EAAE,MAAM,oBAAoB,CAAA;AACzD,OAAO,EAAE,SAAS,EAAyB,MAAM,qBAAqB,CAAA;AACtE,OAAO,EACL,sBAAsB,EACtB,uBAAuB,EACvB,mBAAmB,EACnB,uCAAuC,EACxC,MAAM,oBAAoB,CAAA;AAC3B,OAAO,EAAE,
|
|
1
|
+
{"version":3,"file":"account-store.d.ts","sourceRoot":"","sources":["../../src/account/account-store.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,GAAG,EAAE,MAAM,cAAc,CAAA;AAClC,OAAO,KAAK,EACV,OAAO,EACP,2BAA2B,EAC3B,uBAAuB,EACvB,6BAA6B,EAC7B,yBAAyB,EACzB,sBAAsB,EACtB,4BAA4B,EAC5B,wBAAwB,EACxB,yBAAyB,EACzB,8BAA8B,EAC9B,0BAA0B,EAC1B,sBAAsB,EACtB,iBAAiB,EAClB,MAAM,6BAA6B,CAAA;AACpC,OAAO,EAAE,UAAU,EAAE,MAAM,sBAAsB,CAAA;AACjD,OAAO,EAAE,QAAQ,EAAE,MAAM,wBAAwB,CAAA;AACjD,OAAO,EAAE,QAAQ,EAAE,MAAM,wBAAwB,CAAA;AACjD,OAAO,EAAE,UAAU,EAAE,MAAM,2BAA2B,CAAA;AACtD,OAAO,EAAE,oBAAoB,EAAE,MAAM,oBAAoB,CAAA;AACzD,OAAO,EAAE,SAAS,EAAyB,MAAM,qBAAqB,CAAA;AACtE,OAAO,EACL,sBAAsB,EACtB,uBAAuB,EACvB,mBAAmB,EACnB,uCAAuC,EACxC,MAAM,oBAAoB,CAAA;AAC3B,OAAO,EAAE,UAAU,EAAE,MAAM,yBAAyB,CAAA;AACpD,OAAO,EAAE,WAAW,EAAE,MAAM,oBAAoB,CAAA;AAIhD,cAAc,wBAAwB,CAAA;AACtC,cAAc,0BAA0B,CAAA;AACxC,cAAc,wBAAwB,CAAA;AACtC,cAAc,0BAA0B,CAAA;AAExC,YAAY,EACV,OAAO,EACP,GAAG,EACH,oBAAoB,EACpB,UAAU,EACV,UAAU,EACV,WAAW,GACZ,CAAA;AAED,OAAO,EACL,sBAAsB,EACtB,uBAAuB,EACvB,mBAAmB,EACnB,uCAAuC,GACxC,CAAA;AAED,MAAM,MAAM,yBAAyB,GAAG,0BAA0B,CAAA;AAClE,MAAM,MAAM,yBAAyB,GAAG,yBAAyB,CAAA;AAEjE,MAAM,MAAM,uBAAuB,GAAG,wBAAwB,CAAA;AAC9D,MAAM,MAAM,wBAAwB,GAAG,yBAAyB,CAAA;AAChE,MAAM,MAAM,uBAAuB,GAAG,uBAAuB,CAAA;AAC7D,MAAM,MAAM,uBAAuB,GAAG,8BAA8B,CAAA;AACpE,MAAM,MAAM,uBAAuB,GAAG,6BAA6B,CAAA;AACnE,MAAM,MAAM,gBAAgB,GAAG,iBAAiB,CAAA;AAEhD,MAAM,MAAM,qBAAqB,GAAG,sBAAsB,CAAA;AAC1D,MAAM,MAAM,qBAAqB,GAAG,sBAAsB,CAAA;AAC1D,MAAM,MAAM,yBAAyB,GAAG,4BAA4B,CAAA;AACpE,MAAM,MAAM,yBAAyB,GAAG,2BAA2B,CAAA;AAEnE,MAAM,MAAM,iBAAiB,GAAG;IAC9B,MAAM,EAAE,MAAM,CAAA;IACd,KAAK,EAAE,MAAM,CAAA;IACb,QAAQ,EAAE,MAAM,CAAA;IAChB,MAAM,EAAE,MAAM,CAAA;IACd,UAAU,CAAC,EAAE,MAAM,GAAG,SAAS,CAAA;CAChC,CAAA;AAED,MAAM,MAAM,uBAAuB,GAAG;IACpC,MAAM,EAAE,MAAM,CAAA;IACd,QAAQ,EAAE,MAAM,CAAA;IAChB,QAAQ,EAAE,MAAM,CAAA;IAChB,QAAQ,CAAC,EAAE,MAAM,GAAG,SAAS,CAAA;CAC9B,CAAA;AAED,MAAM,MAAM,oBAAoB,GAAG;IAAE,gBAAgB,EAAE,SAAS,MAAM,EAAE,CAAA;CAAE,CAAA;AAC1E,MAAM,MAAM,iBAAiB,GAAG,GAAG,CAAC,QAAQ,EAAE,oBAAoB,CAAC,CAAA;AAEnE,MAAM,MAAM,aAAa,GAAG;IAC1B,QAAQ,EAAE,QAAQ,CAAA;IAElB;;;;OAIG;IACH,UAAU,EAAE,UAAU,CAAA;IAEtB;;OAEG;IACH,OAAO,EAAE,OAAO,CAAA;IAEhB;;;OAGG;IACH,iBAAiB,EAAE,iBAAiB,CAAA;IAEpC;;;OAGG;IACH,SAAS,EAAE,IAAI,CAAA;IAEf;;;OAGG;IACH,SAAS,EAAE,IAAI,CAAA;CAChB,CAAA;AAED,MAAM,MAAM,UAAU,GAAG,WAAW,GAAG;IACrC,cAAc,CAAC,EAAE,oBAAoB,CAAA;IACrC,UAAU,CAAC,EAAE,UAAU,CAAA;CACxB,CAAA;AAED,MAAM,WAAW,YAAY;IAC3B;;;OAGG;IACH,aAAa,CAAC,IAAI,EAAE,iBAAiB,GAAG,SAAS,CAAC,OAAO,CAAC,CAAA;IAE1D;;;;;;;;;OASG;IACH,mBAAmB,CAAC,IAAI,EAAE,uBAAuB,GAAG,SAAS,CAAC,OAAO,CAAC,CAAA;IAEtE;;OAEG;IACH,mBAAmB,CACjB,GAAG,EAAE,GAAG,EACR,QAAQ,EAAE,QAAQ,EAClB,IAAI,EAAE,oBAAoB,GACzB,SAAS,CAAC,IAAI,CAAC,CAAA;IAElB;;OAEG;IACH,UAAU,CAAC,GAAG,EAAE,GAAG,GAAG,SAAS,CAAC;QAC9B,OAAO,EAAE,OAAO,CAAA;QAChB,iBAAiB,EAAE,iBAAiB,CAAA;KACrC,CAAC,CAAA;IAEF;;;;;;;;;;OAUG;IACH,mBAAmB,CAAC,QAAQ,EAAE,QAAQ,EAAE,GAAG,EAAE,GAAG,GAAG,SAAS,CAAC,IAAI,CAAC,CAAA;IAElE;;;;;;OAMG;IACH,gBAAgB,CACd,QAAQ,EAAE,QAAQ,EAClB,GAAG,EAAE,GAAG,GACP,SAAS,CAAC,aAAa,GAAG,IAAI,CAAC,CAAA;IAElC;;;;;OAKG;IACH,mBAAmB,CAAC,QAAQ,EAAE,QAAQ,EAAE,GAAG,EAAE,GAAG,GAAG,SAAS,CAAC,IAAI,CAAC,CAAA;IAElE;;;OAGG;IACH,kBAAkB,CAChB,MAAM,EAAE;QAAE,GAAG,EAAE,GAAG,CAAA;KAAE,GAAG;QAAE,QAAQ,EAAE,QAAQ,CAAA;KAAE,GAC5C,SAAS,CAAC,aAAa,EAAE,CAAC,CAAA;IAE7B,oBAAoB,CAClB,IAAI,EAAE,yBAAyB,GAC9B,SAAS,CAAC,IAAI,GAAG,OAAO,CAAC,CAAA;IAE5B,oBAAoB,CAClB,IAAI,EAAE,yBAAyB,GAC9B,SAAS,CAAC,IAAI,GAAG,OAAO,CAAC,CAAA;IAE5B,kBAAkB,CAChB,IAAI,EAAE,uBAAuB,GAC5B,SAAS,CAAC,wBAAwB,CAAC,CAAA;IACtC;;;;;OAKG;IACH,kBAAkB,CAAC,IAAI,EAAE,uBAAuB,GAAG,SAAS,CAAC,OAAO,GAAG,IAAI,CAAC,CAAA;IAE5E,kBAAkB,CAAC,IAAI,EAAE,uBAAuB,GAAG,SAAS,CAAC,IAAI,CAAC,CAAA;IAClE,kBAAkB,CAAC,IAAI,EAAE,uBAAuB,GAAG,SAAS,CAAC,OAAO,GAAG,IAAI,CAAC,CAAA;IAE5E;;OAEG;IACH,wBAAwB,CAAC,MAAM,EAAE,MAAM,GAAG,SAAS,CAAC,IAAI,CAAC,CAAA;IAEzD;;;;OAIG;IACH,YAAY,CAAC,IAAI,EAAE,gBAAgB,GAAG,SAAS,CAAC,OAAO,CAAC,CAAA;IAExD;;;;;;OAMG;IACH,iBAAiB,CAAC,IAAI,EAAE,qBAAqB,GAAG,SAAS,CAAC,OAAO,CAAC,CAAA;IAElE;;;;;;OAMG;IACH,iBAAiB,CAAC,IAAI,EAAE,qBAAqB,GAAG,SAAS,CAAC,OAAO,CAAC,CAAA;IAElE;;;;;OAKG;IACH,oBAAoB,CAAC,IAAI,EAAE,yBAAyB,GAAG,SAAS,CAAC,IAAI,CAAC,CAAA;IAEtE;;;;;;OAMG;IACH,oBAAoB,CAAC,IAAI,EAAE,yBAAyB,GAAG,SAAS,CAAC,IAAI,CAAC,CAAA;CACvE;AAED,eAAO,MAAM,cAAc,yHAqBzB,CAAA;AAEF,wBAAgB,cAAc,CAAC,CAAC,EAAE,cAAc,EAAE,CAAC,GAAG,CAAC,GAAG,YAAY,CAKrE"}
|
|
@@ -4,15 +4,18 @@ import { HandleUnavailableError, InvalidCredentialsError, InvalidRequestError, S
|
|
|
4
4
|
export * from '../client/client-id.js';
|
|
5
5
|
export * from '../device/device-data.js';
|
|
6
6
|
export * from '../device/device-id.js';
|
|
7
|
-
export * from '../oidc/sub.js';
|
|
8
7
|
export * from '../request/request-id.js';
|
|
9
8
|
export { HandleUnavailableError, InvalidCredentialsError, InvalidRequestError, SecondAuthenticationFactorRequiredError, };
|
|
10
9
|
export const isAccountStore = buildInterfaceChecker([
|
|
11
10
|
'authenticateAccount',
|
|
12
11
|
'createAccount',
|
|
12
|
+
'deactivateAccount',
|
|
13
|
+
'deleteAccountConfirm',
|
|
14
|
+
'deleteAccountRequest',
|
|
13
15
|
'getAccount',
|
|
14
16
|
'getDeviceAccount',
|
|
15
17
|
'listDeviceAccounts',
|
|
18
|
+
'reactivateAccount',
|
|
16
19
|
'removeDeviceAccount',
|
|
17
20
|
'resetPasswordConfirm',
|
|
18
21
|
'resetPasswordRequest',
|
|
@@ -1 +1 @@
|
|
|
1
|
-
{"version":3,"file":"account-store.js","sourceRoot":"","sources":["../../src/account/account-store.ts"],"names":[],"mappings":"AAgBA,OAAO,EAAa,qBAAqB,EAAE,MAAM,qBAAqB,CAAA;AACtE,OAAO,EACL,sBAAsB,EACtB,uBAAuB,EACvB,mBAAmB,EACnB,uCAAuC,GACxC,MAAM,oBAAoB,CAAA;AAK3B,kEAAkE;AAElE,cAAc,wBAAwB,CAAA;AACtC,cAAc,0BAA0B,CAAA;AACxC,cAAc,wBAAwB,CAAA;AACtC,cAAc,gBAAgB,CAAA;AAC9B,cAAc,0BAA0B,CAAA;AAUxC,OAAO,EACL,sBAAsB,EACtB,uBAAuB,EACvB,mBAAmB,EACnB,uCAAuC,GACxC,CAAA;AAqLD,MAAM,CAAC,MAAM,cAAc,GAAG,qBAAqB,CAAe;IAChE,qBAAqB;IACrB,eAAe;IACf,YAAY;IACZ,kBAAkB;IAClB,oBAAoB;IACpB,qBAAqB;IACrB,sBAAsB;IACtB,sBAAsB;IACtB,qBAAqB;IACrB,oBAAoB;IACpB,oBAAoB;IACpB,cAAc;IACd,qBAAqB;IACrB,oBAAoB;IACpB,oBAAoB;IACpB,0BAA0B;CAC3B,CAAC,CAAA;AAEF,MAAM,UAAU,cAAc,CAAI,cAAiB;IACjD,IAAI,CAAC,cAAc,IAAI,CAAC,cAAc,CAAC,cAAc,CAAC,EAAE,CAAC;QACvD,MAAM,IAAI,KAAK,CAAC,qCAAqC,CAAC,CAAA;IACxD,CAAC;IACD,OAAO,cAAc,CAAA;AACvB,CAAC","sourcesContent":["import type {\n Account,\n ConfirmEmailUpdateInput,\n ConfirmEmailVerificationInput,\n ConfirmResetPasswordInput,\n InitiateEmailUpdateInput,\n InitiateEmailUpdateOutput,\n InitiateEmailVerificationInput,\n InitiatePasswordResetInput,\n UpdateHandleInput,\n} from '@atproto/oauth-provider-api'\nimport { OAuthScope } from '@atproto/oauth-types'\nimport { ClientId } from '../client/client-id.js'\nimport { DeviceId } from '../device/device-id.js'\nimport { DeviceData } from '../device/device-store.js'\nimport { HcaptchaVerifyResult } from '../lib/hcaptcha.js'\nimport { Awaitable, buildInterfaceChecker } from '../lib/util/type.js'\nimport {\n HandleUnavailableError,\n InvalidCredentialsError,\n InvalidRequestError,\n SecondAuthenticationFactorRequiredError,\n} from '../oauth-errors.js'\nimport { Sub } from '../oidc/sub.js'\nimport { InviteCode } from '../types/invite-code.js'\nimport { SignUpInput } from './sign-up-input.js'\n\n// Export all types needed to implement the AccountStore interface\n\nexport * from '../client/client-id.js'\nexport * from '../device/device-data.js'\nexport * from '../device/device-id.js'\nexport * from '../oidc/sub.js'\nexport * from '../request/request-id.js'\n\nexport type {\n Account,\n HcaptchaVerifyResult,\n InviteCode,\n OAuthScope,\n SignUpInput,\n}\n\nexport {\n HandleUnavailableError,\n InvalidCredentialsError,\n InvalidRequestError,\n SecondAuthenticationFactorRequiredError,\n}\n\nexport type ResetPasswordRequestInput = InitiatePasswordResetInput\nexport type ResetPasswordConfirmInput = ConfirmResetPasswordInput\n\nexport type UpdateEmailRequestInput = InitiateEmailUpdateInput\nexport type UpdateEmailRequestOutput = InitiateEmailUpdateOutput\nexport type UpdateEmailConfirmInput = ConfirmEmailUpdateInput\nexport type VerifyEmailRequestInput = InitiateEmailVerificationInput\nexport type VerifyEmailConfirmInput = ConfirmEmailVerificationInput\nexport type UpdateHandleData = UpdateHandleInput\n\nexport type CreateAccountData = {\n locale: string\n email: string\n password: string\n handle: string\n inviteCode?: string | undefined\n}\n\nexport type AuthenticateAccountData = {\n locale: string\n password: string\n username: string\n emailOtp?: string | undefined\n}\n\nexport type AuthorizedClientData = { authorizedScopes: readonly string[] }\nexport type AuthorizedClients = Map<ClientId, AuthorizedClientData>\n\nexport type DeviceAccount = {\n deviceId: DeviceId\n\n /**\n * The data associated with the device, created through the\n * {@link DeviceStore}. This data is used to identify devices on which a user\n * has logged in.\n */\n deviceData: DeviceData\n\n /**\n * The account associated with the device account.\n */\n account: Account\n\n /**\n * The list of clients that are authorized by the account, as created through\n * the {@link AccountStore.setAuthorizedClient} method.\n */\n authorizedClients: AuthorizedClients\n\n /**\n * The date at which the device account was created. This value is currently\n * not used.\n */\n createdAt: Date\n\n /**\n * The date at which the device account was last updated. This value is used\n * to determine the date at which the user last authenticated on a device\n */\n updatedAt: Date\n}\n\nexport type SignUpData = SignUpInput & {\n hcaptchaResult?: HcaptchaVerifyResult\n inviteCode?: InviteCode\n}\n\nexport interface AccountStore {\n /**\n * @throws {HandleUnavailableError} - To indicate that the handle is already taken\n * @throws {InvalidRequestError} - To indicate that some data is invalid\n */\n createAccount(data: CreateAccountData): Awaitable<Account>\n\n /**\n * @throws {InvalidCredentialsError} - When the credentials are not valid.\n * Populate {@link InvalidCredentialsError.sub} with the subject identifier\n * when the identifier matched an existing account (e.g. wrong password for\n * a known user); omit it when the identifier was not found. Throwing the\n * generic {@link InvalidRequestError} is also accepted for backward\n * compatibility but prevents the `onSignInFailed` hook from distinguishing\n * the two cases.\n * @throws {SecondAuthenticationFactorRequiredError} - To indicate that an {@link SecondAuthenticationFactorRequiredError.type} is required in the credentials\n */\n authenticateAccount(data: AuthenticateAccountData): Awaitable<Account>\n\n /**\n * Add a client & scopes to the list of authorized clients for the given account.\n */\n setAuthorizedClient(\n sub: Sub,\n clientId: ClientId,\n data: AuthorizedClientData,\n ): Awaitable<void>\n\n /**\n * @throws {InvalidRequestError} - When the credentials are not valid\n */\n getAccount(sub: Sub): Awaitable<{\n account: Account\n authorizedClients: AuthorizedClients\n }>\n\n /**\n * @param data.requestId - If provided, the inserted account must be bound to\n * that particular requestId.\n *\n * @note Whenever a particular device account is created, all **unbound**\n * device accounts for the same `deviceId` & `sub` should be deleted.\n *\n * @note When a particular request is deleted (through\n * {@link RequestStore.deleteRequest}), all accounts bound to that request\n * should be deleted as well.\n */\n upsertDeviceAccount(deviceId: DeviceId, sub: Sub): Awaitable<void>\n\n /**\n * @param requestId - If provided, the result must either have the same\n * requestId, or not be bound to a particular requestId. If `null`, the\n * result must not be bound to a particular requestId.\n * @throws {InvalidRequestError} - Instead of returning `null` in order to\n * provide a custom error message\n */\n getDeviceAccount(\n deviceId: DeviceId,\n sub: Sub,\n ): Awaitable<DeviceAccount | null>\n\n /**\n * Removes *all* the unbound device-accounts associated with the given device\n * & account.\n *\n * @note Noop if the device-account is not found.\n */\n removeDeviceAccount(deviceId: DeviceId, sub: Sub): Awaitable<void>\n\n /**\n * @returns **all** the device accounts that match the {@link requestId}\n * criteria and given {@link filter}.\n */\n listDeviceAccounts(\n filter: { sub: Sub } | { deviceId: DeviceId },\n ): Awaitable<DeviceAccount[]>\n\n resetPasswordRequest(\n data: ResetPasswordRequestInput,\n ): Awaitable<null | Account>\n\n resetPasswordConfirm(\n data: ResetPasswordConfirmInput,\n ): Awaitable<null | Account>\n\n updateEmailRequest(\n data: UpdateEmailRequestInput,\n ): Awaitable<UpdateEmailRequestOutput>\n /**\n * Must trigger a verification email to be sent to the new email address, that\n * will then be confirmed through {@link updateEmailConfirm}. The account's\n * `email_verified` field is expected to become `false` until the new email is\n * confirmed.\n */\n updateEmailConfirm(data: UpdateEmailConfirmInput): Awaitable<Account | null>\n\n verifyEmailRequest(data: VerifyEmailRequestInput): Awaitable<void>\n verifyEmailConfirm(data: VerifyEmailConfirmInput): Awaitable<Account | null>\n\n /**\n * @throws {HandleUnavailableError} - To indicate that the handle is already taken\n */\n verifyHandleAvailability(handle: string): Awaitable<void>\n\n /**\n * @throws {HandleUnavailableError} - To indicate that the handle is already taken\n * @throws {InvalidRequestError} - To indicate that the handle is invalid or\n * cannot be used\n */\n updateHandle(data: UpdateHandleData): Awaitable<Account>\n}\n\nexport const isAccountStore = buildInterfaceChecker<AccountStore>([\n 'authenticateAccount',\n 'createAccount',\n 'getAccount',\n 'getDeviceAccount',\n 'listDeviceAccounts',\n 'removeDeviceAccount',\n 'resetPasswordConfirm',\n 'resetPasswordRequest',\n 'setAuthorizedClient',\n 'updateEmailConfirm',\n 'updateEmailRequest',\n 'updateHandle',\n 'upsertDeviceAccount',\n 'verifyEmailConfirm',\n 'verifyEmailRequest',\n 'verifyHandleAvailability',\n])\n\nexport function asAccountStore<V>(implementation: V): V & AccountStore {\n if (!implementation || !isAccountStore(implementation)) {\n throw new Error('Invalid AccountStore implementation')\n }\n return implementation\n}\n"]}
|
|
1
|
+
{"version":3,"file":"account-store.js","sourceRoot":"","sources":["../../src/account/account-store.ts"],"names":[],"mappings":"AAqBA,OAAO,EAAa,qBAAqB,EAAE,MAAM,qBAAqB,CAAA;AACtE,OAAO,EACL,sBAAsB,EACtB,uBAAuB,EACvB,mBAAmB,EACnB,uCAAuC,GACxC,MAAM,oBAAoB,CAAA;AAI3B,kEAAkE;AAElE,cAAc,wBAAwB,CAAA;AACtC,cAAc,0BAA0B,CAAA;AACxC,cAAc,wBAAwB,CAAA;AACtC,cAAc,0BAA0B,CAAA;AAWxC,OAAO,EACL,sBAAsB,EACtB,uBAAuB,EACvB,mBAAmB,EACnB,uCAAuC,GACxC,CAAA;AA6ND,MAAM,CAAC,MAAM,cAAc,GAAG,qBAAqB,CAAe;IAChE,qBAAqB;IACrB,eAAe;IACf,mBAAmB;IACnB,sBAAsB;IACtB,sBAAsB;IACtB,YAAY;IACZ,kBAAkB;IAClB,oBAAoB;IACpB,mBAAmB;IACnB,qBAAqB;IACrB,sBAAsB;IACtB,sBAAsB;IACtB,qBAAqB;IACrB,oBAAoB;IACpB,oBAAoB;IACpB,cAAc;IACd,qBAAqB;IACrB,oBAAoB;IACpB,oBAAoB;IACpB,0BAA0B;CAC3B,CAAC,CAAA;AAEF,MAAM,UAAU,cAAc,CAAI,cAAiB;IACjD,IAAI,CAAC,cAAc,IAAI,CAAC,cAAc,CAAC,cAAc,CAAC,EAAE,CAAC;QACvD,MAAM,IAAI,KAAK,CAAC,qCAAqC,CAAC,CAAA;IACxD,CAAC;IACD,OAAO,cAAc,CAAA;AACvB,CAAC","sourcesContent":["import { Did } from '@atproto/did'\nimport type {\n Account,\n ConfirmAccountDeletionInput,\n ConfirmEmailUpdateInput,\n ConfirmEmailVerificationInput,\n ConfirmResetPasswordInput,\n DeactivateAccountInput,\n InitiateAccountDeletionInput,\n InitiateEmailUpdateInput,\n InitiateEmailUpdateOutput,\n InitiateEmailVerificationInput,\n InitiatePasswordResetInput,\n ReactivateAccountInput,\n UpdateHandleInput,\n} from '@atproto/oauth-provider-api'\nimport { OAuthScope } from '@atproto/oauth-types'\nimport { ClientId } from '../client/client-id.js'\nimport { DeviceId } from '../device/device-id.js'\nimport { DeviceData } from '../device/device-store.js'\nimport { HcaptchaVerifyResult } from '../lib/hcaptcha.js'\nimport { Awaitable, buildInterfaceChecker } from '../lib/util/type.js'\nimport {\n HandleUnavailableError,\n InvalidCredentialsError,\n InvalidRequestError,\n SecondAuthenticationFactorRequiredError,\n} from '../oauth-errors.js'\nimport { InviteCode } from '../types/invite-code.js'\nimport { SignUpInput } from './sign-up-input.js'\n\n// Export all types needed to implement the AccountStore interface\n\nexport * from '../client/client-id.js'\nexport * from '../device/device-data.js'\nexport * from '../device/device-id.js'\nexport * from '../request/request-id.js'\n\nexport type {\n Account,\n Did,\n HcaptchaVerifyResult,\n InviteCode,\n OAuthScope,\n SignUpInput,\n}\n\nexport {\n HandleUnavailableError,\n InvalidCredentialsError,\n InvalidRequestError,\n SecondAuthenticationFactorRequiredError,\n}\n\nexport type ResetPasswordRequestInput = InitiatePasswordResetInput\nexport type ResetPasswordConfirmInput = ConfirmResetPasswordInput\n\nexport type UpdateEmailRequestInput = InitiateEmailUpdateInput\nexport type UpdateEmailRequestOutput = InitiateEmailUpdateOutput\nexport type UpdateEmailConfirmInput = ConfirmEmailUpdateInput\nexport type VerifyEmailRequestInput = InitiateEmailVerificationInput\nexport type VerifyEmailConfirmInput = ConfirmEmailVerificationInput\nexport type UpdateHandleData = UpdateHandleInput\n\nexport type DeactivateAccountData = DeactivateAccountInput\nexport type ReactivateAccountData = ReactivateAccountInput\nexport type DeleteAccountRequestInput = InitiateAccountDeletionInput\nexport type DeleteAccountConfirmInput = ConfirmAccountDeletionInput\n\nexport type CreateAccountData = {\n locale: string\n email: string\n password: string\n handle: string\n inviteCode?: string | undefined\n}\n\nexport type AuthenticateAccountData = {\n locale: string\n password: string\n username: string\n emailOtp?: string | undefined\n}\n\nexport type AuthorizedClientData = { authorizedScopes: readonly string[] }\nexport type AuthorizedClients = Map<ClientId, AuthorizedClientData>\n\nexport type DeviceAccount = {\n deviceId: DeviceId\n\n /**\n * The data associated with the device, created through the\n * {@link DeviceStore}. This data is used to identify devices on which a user\n * has logged in.\n */\n deviceData: DeviceData\n\n /**\n * The account associated with the device account.\n */\n account: Account\n\n /**\n * The list of clients that are authorized by the account, as created through\n * the {@link AccountStore.setAuthorizedClient} method.\n */\n authorizedClients: AuthorizedClients\n\n /**\n * The date at which the device account was created. This value is currently\n * not used.\n */\n createdAt: Date\n\n /**\n * The date at which the device account was last updated. This value is used\n * to determine the date at which the user last authenticated on a device\n */\n updatedAt: Date\n}\n\nexport type SignUpData = SignUpInput & {\n hcaptchaResult?: HcaptchaVerifyResult\n inviteCode?: InviteCode\n}\n\nexport interface AccountStore {\n /**\n * @throws {HandleUnavailableError} - To indicate that the handle is already taken\n * @throws {InvalidRequestError} - To indicate that some data is invalid\n */\n createAccount(data: CreateAccountData): Awaitable<Account>\n\n /**\n * @throws {InvalidCredentialsError} - When the credentials are not valid.\n * Populate {@link InvalidCredentialsError.did} with the subject identifier\n * when the identifier matched an existing account (e.g. wrong password for\n * a known user); omit it when the identifier was not found. Throwing the\n * generic {@link InvalidRequestError} is also accepted for backward\n * compatibility but prevents the `onSignInFailed` hook from distinguishing\n * the two cases.\n * @throws {SecondAuthenticationFactorRequiredError} - To indicate that an {@link SecondAuthenticationFactorRequiredError.type} is required in the credentials\n */\n authenticateAccount(data: AuthenticateAccountData): Awaitable<Account>\n\n /**\n * Add a client & scopes to the list of authorized clients for the given account.\n */\n setAuthorizedClient(\n did: Did,\n clientId: ClientId,\n data: AuthorizedClientData,\n ): Awaitable<void>\n\n /**\n * @throws {InvalidRequestError} - When the credentials are not valid\n */\n getAccount(did: Did): Awaitable<{\n account: Account\n authorizedClients: AuthorizedClients\n }>\n\n /**\n * @param data.requestId - If provided, the inserted account must be bound to\n * that particular requestId.\n *\n * @note Whenever a particular device account is created, all **unbound**\n * device accounts for the same `deviceId` & `sub` should be deleted.\n *\n * @note When a particular request is deleted (through\n * {@link RequestStore.deleteRequest}), all accounts bound to that request\n * should be deleted as well.\n */\n upsertDeviceAccount(deviceId: DeviceId, did: Did): Awaitable<void>\n\n /**\n * @param requestId - If provided, the result must either have the same\n * requestId, or not be bound to a particular requestId. If `null`, the\n * result must not be bound to a particular requestId.\n * @throws {InvalidRequestError} - Instead of returning `null` in order to\n * provide a custom error message\n */\n getDeviceAccount(\n deviceId: DeviceId,\n did: Did,\n ): Awaitable<DeviceAccount | null>\n\n /**\n * Removes *all* the unbound device-accounts associated with the given device\n * & account.\n *\n * @note Noop if the device-account is not found.\n */\n removeDeviceAccount(deviceId: DeviceId, did: Did): Awaitable<void>\n\n /**\n * @returns **all** the device accounts that match the {@link requestId}\n * criteria and given {@link filter}.\n */\n listDeviceAccounts(\n filter: { did: Did } | { deviceId: DeviceId },\n ): Awaitable<DeviceAccount[]>\n\n resetPasswordRequest(\n data: ResetPasswordRequestInput,\n ): Awaitable<null | Account>\n\n resetPasswordConfirm(\n data: ResetPasswordConfirmInput,\n ): Awaitable<null | Account>\n\n updateEmailRequest(\n data: UpdateEmailRequestInput,\n ): Awaitable<UpdateEmailRequestOutput>\n /**\n * Must trigger a verification email to be sent to the new email address, that\n * will then be confirmed through {@link updateEmailConfirm}. The account's\n * {@link Account['emailVerified'] emailVerified} field is expected to become\n * `false` until the new email is confirmed.\n */\n updateEmailConfirm(data: UpdateEmailConfirmInput): Awaitable<Account | null>\n\n verifyEmailRequest(data: VerifyEmailRequestInput): Awaitable<void>\n verifyEmailConfirm(data: VerifyEmailConfirmInput): Awaitable<Account | null>\n\n /**\n * @throws {HandleUnavailableError} - To indicate that the handle is already taken\n */\n verifyHandleAvailability(handle: string): Awaitable<void>\n\n /**\n * @throws {HandleUnavailableError} - To indicate that the handle is already taken\n * @throws {InvalidRequestError} - To indicate that the handle is invalid or\n * cannot be used\n */\n updateHandle(data: UpdateHandleData): Awaitable<Account>\n\n /**\n * Mark the account as deactivated. The account remains recoverable. Should\n * be a no-op when the account is already deactivated.\n *\n * @throws {InvalidRequestError} - When the account cannot be deactivated\n * (e.g. unknown account)\n */\n deactivateAccount(data: DeactivateAccountData): Awaitable<Account>\n\n /**\n * Reactivate a previously-deactivated account. Should be a no-op when the\n * account is already active.\n *\n * @throws {InvalidRequestError} - When the account cannot be reactivated\n * (e.g. unknown account)\n */\n reactivateAccount(data: ReactivateAccountData): Awaitable<Account>\n\n /**\n * Initiate account deletion: typically sends a confirmation token to the\n * account's email address. The account is NOT deleted until\n * {@link deleteAccountConfirm} is called with the matching token and the\n * user's current password.\n */\n deleteAccountRequest(data: DeleteAccountRequestInput): Awaitable<void>\n\n /**\n * Finalize account deletion. Implementations MUST verify both the email\n * confirmation `token` issued by {@link deleteAccountRequest} and the user's\n * current `password` before deleting any data. Deletion is irreversible.\n *\n * @throws {InvalidRequestError} - When the token or password is invalid.\n */\n deleteAccountConfirm(data: DeleteAccountConfirmInput): Awaitable<void>\n}\n\nexport const isAccountStore = buildInterfaceChecker<AccountStore>([\n 'authenticateAccount',\n 'createAccount',\n 'deactivateAccount',\n 'deleteAccountConfirm',\n 'deleteAccountRequest',\n 'getAccount',\n 'getDeviceAccount',\n 'listDeviceAccounts',\n 'reactivateAccount',\n 'removeDeviceAccount',\n 'resetPasswordConfirm',\n 'resetPasswordRequest',\n 'setAuthorizedClient',\n 'updateEmailConfirm',\n 'updateEmailRequest',\n 'updateHandle',\n 'upsertDeviceAccount',\n 'verifyEmailConfirm',\n 'verifyEmailRequest',\n 'verifyHandleAvailability',\n])\n\nexport function asAccountStore<V>(implementation: V): V & AccountStore {\n if (!implementation || !isAccountStore(implementation)) {\n throw new Error('Invalid AccountStore implementation')\n }\n return implementation\n}\n"]}
|